Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for organizations poorly prepared for an attack. Different iterations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause harm. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with frequent unnamed viruses, not only encrypt on-line files but also infiltrate most available system backups. Information replicated to cloud environments can also be corrupted. In a vulnerable environment, it can make automated recovery impossible and effectively sets the datacenter back to zero.
Retrieving applications and data following a crypto-ransomware attack becomes a race against the clock as the victim struggles to contain the damage and eradicate the ransomware and to resume mission-critical activity. Due to the fact that ransomware takes time to spread, assaults are usually sprung on weekends, when attacks may take longer to uncover. This multiplies the difficulty of promptly marshalling and coordinating a qualified response team.
Progent has an assortment of support services for protecting Columbus organizations from ransomware attacks. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security appliances with artificial intelligence technology to automatically discover and suppress day-zero threats. Progent in addition can provide the assistance of expert ransomware recovery consultants with the skills and commitment to re-deploy a compromised environment as urgently as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the keys to unencrypt any of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The fallback is to piece back together the critical components of your IT environment. Absent the availability of complete data backups, this requires a wide range of IT skills, professional team management, and the willingness to work non-stop until the recovery project is finished.
For two decades, Progent has provided expert Information Technology services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise gives Progent the ability to efficiently determine critical systems and integrate the remaining components of your network system following a ransomware penetration and configure them into an operational network.
Progent's ransomware team utilizes powerful project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to put the most important services back on line as soon as humanly possible.
Case Study: A Successful Ransomware Incident Response
A client hired Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting approaches leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little room for operational disruption and is one of the most profitable versions of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago with around 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the intrusion and were damaged. The client considered paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I cannot say enough about the care Progent gave us during the most fearful period of (our) companyís existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts provided us. That you were able to get our e-mail system and important applications back on-line in less than one week was beyond my wildest dreams. Each expert I got help from or e-mailed at Progent was amazingly focused on getting us working again and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly identify and assign priority to the key elements that had to be recovered in order to restart business operations:
To get going, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the steps of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the client's financials and MRP system leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the data.
- Active Directory (AD)
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and storage recovery on essential applications. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to find intact OST data files (Outlook Offline Folder Files) on user PCs and laptops to recover mail data. A recent off-line backup of the customerís financials/ERP systems made them able to restore these essential programs back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, essential systems were recovered quickly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer orders."
During the following couple of weeks important milestones in the restoration process were made through close cooperation between Progent team members and the customer:
- Self-hosted web applications were returned to operation without losing any data.
- The MailStore Exchange Server with over 4 million historical messages was brought online and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory modules were fully operational.
- A new Palo Alto 850 firewall was set up.
- Most of the desktop computers were being used by staff.
"A huge amount of what was accomplished during the initial response is mostly a haze for me, but my management will not forget the urgency all of your team put in to help get our company back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has come through and delivered. This time was a testament to your capabilities."
A probable business-killing catastrophe was avoided by top-tier professionals, a wide range of IT skills, and close teamwork. Although upon completion of forensics the crypto-ransomware penetration detailed here would have been identified and blocked with current cyber security technology and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed security procedures for backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for making it so I could get rested after we got past the most critical parts. All of you did an incredible effort, and if any of your guys is in the Chicago area, dinner is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist