Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyber pandemic that represents an existential threat for businesses of all sizes vulnerable to an attack. Different versions of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as additional as yet unnamed newcomers, not only do encryption of online files but also infect many configured system restores and backups. Information replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, this can render automatic recovery hopeless and effectively sets the entire system back to square one.
Recovering applications and data after a crypto-ransomware outage becomes a race against the clock as the targeted business fights to contain and remove the ransomware and to resume business-critical operations. Due to the fact that ransomware takes time to spread, penetrations are often launched on weekends and holidays, when successful penetrations are likely to take longer to detect. This compounds the difficulty of quickly assembling and coordinating an experienced response team.
Progent offers a range of solutions for securing Boston enterprises from crypto-ransomware attacks. These include user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security appliances with machine learning technology to quickly identify and extinguish new threats. Progent in addition offers the assistance of seasoned crypto-ransomware recovery engineers with the track record and perseverance to re-deploy a compromised system as urgently as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the codes to unencrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The fallback is to piece back together the critical components of your IT environment. Without the availability of essential system backups, this requires a wide range of skill sets, top notch project management, and the ability to work 24x7 until the job is over.
For two decades, Progent has offered certified expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience provides Progent the capability to efficiently ascertain important systems and organize the remaining components of your computer network environment following a ransomware attack and configure them into an operational network.
Progent's security team of experts uses top notch project management systems to orchestrate the complicated recovery process. Progent knows the importance of working swiftly and together with a customerís management and Information Technology team members to prioritize tasks and to get key systems back on line as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Attack Restoration
A business contacted Progent after their network was taken over by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state cybercriminals, possibly adopting algorithms exposed from Americaís NSA organization. Ryuk goes after specific businesses with little or no room for disruption and is one of the most lucrative instances of crypto-ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with around 500 staff members. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.
"I cannot thank you enough about the help Progent gave us throughout the most stressful period of (our) businesses life. We had little choice but to pay the criminal gangs if it wasnít for the confidence the Progent team gave us. The fact that you were able to get our messaging and critical servers back on-line faster than one week was beyond my wildest dreams. Every single expert I worked with or e-mailed at Progent was urgently focused on getting us back online and was working 24/7 on our behalf."
Progent worked with the client to rapidly identify and prioritize the mission critical services that had to be recovered in order to restart company functions:
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the work of restoring Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without Active Directory, and the customerís accounting and MRP software utilized Microsoft SQL, which needs Active Directory for access to the databases.
- Windows Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery on key systems. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Data Files) on staff PCs and laptops in order to recover email data. A recent offline backup of the customerís financials/ERP systems made them able to restore these required programs back on-line. Although significant work still had to be done to recover completely from the Ryuk attack, the most important systems were restored quickly:
"For the most part, the production operation was never shut down and we did not miss any customer shipments."
During the next month key milestones in the recovery process were achieved through tight collaboration between Progent engineers and the customer:
- Internal web sites were restored with no loss of data.
- The MailStore Server exceeding four million historical emails was spun up and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto 850 firewall was brought on-line.
- Most of the user PCs were fully operational.
"So much of what was accomplished in the early hours is mostly a fog for me, but our team will not soon forget the commitment each and every one of your team put in to give us our company back. Iíve trusted Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This event was a testament to your capabilities."
A potential business disaster was dodged through the efforts of hard-working professionals, a wide range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident detailed here could have been disabled with up-to-date security systems and security best practices, user and IT administrator training, and properly executed security procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thank you for allowing me to get rested after we made it through the initial fire. Everyone did an fabulous effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist