Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for organizations vulnerable to an attack. Different iterations of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict harm. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as additional unnamed viruses, not only do encryption of online critical data but also infiltrate all available system protection mechanisms. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can render automated restore operations hopeless and effectively sets the entire system back to zero.
Getting back on-line applications and data following a crypto-ransomware event becomes a race against time as the victim struggles to contain and remove the crypto-ransomware and to restore business-critical activity. Because ransomware requires time to move laterally, penetrations are often sprung during nights and weekends, when successful penetrations are likely to take more time to detect. This multiplies the difficulty of promptly mobilizing and coordinating a qualified response team.
Progent offers an assortment of support services for protecting Columbus enterprises from ransomware penetrations. These include team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to discover and suppress day-zero modern malware assaults. Progent also provides the assistance of seasoned ransomware recovery professionals with the skills and commitment to reconstruct a breached network as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the keys to decipher any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to setup from scratch the mission-critical parts of your Information Technology environment. Without the availability of complete data backups, this calls for a broad range of skill sets, well-coordinated team management, and the willingness to work non-stop until the job is over.
For two decades, Progent has offered certified expert Information Technology services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably identify important systems and integrate the surviving pieces of your network environment following a crypto-ransomware penetration and rebuild them into an operational network.
Progent's ransomware group deploys top notch project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of working swiftly and together with a client's management and Information Technology resources to prioritize tasks and to get essential systems back on-line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Attack Response
A small business contacted Progent after their network system was attacked by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored criminal gangs, possibly adopting technology leaked from America's NSA organization. Ryuk attacks specific organizations with little tolerance for operational disruption and is among the most lucrative instances of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has about 500 workers. The Ryuk attack had frozen all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot thank you enough in regards to the support Progent gave us during the most stressful period of (our) company's life. We would have paid the cyber criminals if not for the confidence the Progent experts provided us. The fact that you could get our e-mail system and critical applications back on-line faster than five days was incredible. Each expert I worked with or e-mailed at Progent was amazingly focused on getting us back online and was working 24 by 7 on our behalf."
Progent worked with the client to rapidly get our arms around and prioritize the mission critical applications that needed to be addressed in order to restart departmental operations:
To get going, Progent adhered to ransomware incident response industry best practices by isolating and clearing infected systems. Progent then initiated the work of rebuilding Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the businesses' MRP applications leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the information.
- Active Directory
- Microsoft Exchange
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and hard drive recovery of essential systems. All Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST data files (Outlook Email Offline Data Files) on staff workstations in order to recover mail messages. A not too old offline backup of the customer's accounting systems made them able to restore these required programs back servicing users. Although a lot of work still had to be done to recover fully from the Ryuk damage, essential services were returned to operations quickly:
"For the most part, the production operation did not miss a beat and we produced all customer shipments."
Throughout the next couple of weeks important milestones in the restoration project were accomplished in close collaboration between Progent engineers and the client:
- Self-hosted web applications were restored without losing any information.
- The MailStore Exchange Server with over 4 million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto 850 security appliance was installed.
- Most of the desktop computers were being used by staff.
"Much of what transpired during the initial response is mostly a fog for me, but my team will not forget the dedication each of the team accomplished to give us our company back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was a testament to your capabilities."
A probable enterprise-killing catastrophe was evaded with top-tier experts, a broad array of IT skills, and close teamwork. Although in hindsight the ransomware incident described here could have been prevented with modern cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for information backup and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get rested after we got over the first week. All of you did an incredible effort, and if any of your team is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Columbus
For ransomware system recovery expertise in the Columbus metro area, phone Progent at 800-462-8800 or go to Contact Progent.