Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become a modern cyberplague that represents an enterprise-level threat for businesses of all sizes unprepared for an attack. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with frequent as yet unnamed malware, not only do encryption of online critical data but also infect all configured system protection. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, this can make automated recovery useless and basically sets the entire system back to square one.
Getting back online applications and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted business tries its best to stop the spread and remove the ransomware and to restore enterprise-critical activity. Because ransomware needs time to replicate, assaults are frequently sprung on weekends, when successful penetrations tend to take more time to notice. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable response team.
Progent offers a range of support services for protecting Sorocaba enterprises from ransomware events. These include team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security solutions with AI capabilities to automatically identify and suppress day-zero cyber attacks. Progent also provides the assistance of seasoned crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to decipher all your files. Kaspersky determined that seventeen percent of ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The fallback is to re-install the critical elements of your IT environment. Without the availability of essential information backups, this requires a wide range of skills, well-coordinated project management, and the capability to work non-stop until the recovery project is complete.
For two decades, Progent has made available certified expert IT services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience affords Progent the skills to rapidly determine necessary systems and consolidate the surviving pieces of your computer network system following a crypto-ransomware event and rebuild them into a functioning system.
Progent's ransomware group deploys powerful project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get the most important services back on-line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A business escalated to Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored hackers, possibly adopting techniques leaked from the United States National Security Agency. Ryuk seeks specific businesses with little tolerance for disruption and is among the most lucrative versions of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk attack had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot speak enough about the support Progent provided us throughout the most stressful period of (our) businesses existence. We had little choice but to pay the criminal gangs if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and critical servers back on-line faster than 1 week was beyond my wildest dreams. Every single consultant I interacted with or communicated with at Progent was hell bent on getting our system up and was working all day and night on our behalf."
Progent worked together with the customer to quickly identify and prioritize the essential services that had to be recovered in order to resume departmental operations:
To get going, Progent adhered to Anti-virus incident response industry best practices by halting lateral movement and cleaning up infected systems. Progent then started the work of recovering Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the businesses’ accounting and MRP applications utilized Microsoft SQL, which depends on Windows AD for access to the information.
- Active Directory
- Electronic Mail
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of essential servers. All Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Offline Folder Files) on various PCs to recover email messages. A recent off-line backup of the businesses manufacturing software made it possible to return these required services back online for users. Although a large amount of work was left to recover totally from the Ryuk virus, critical systems were restored rapidly:
"For the most part, the production manufacturing operation survived unscathed and we produced all customer deliverables."
Throughout the next couple of weeks critical milestones in the recovery process were achieved in close collaboration between Progent team members and the client:
- Internal web sites were restored with no loss of information.
- The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory functions were 100% functional.
- A new Palo Alto 850 firewall was installed.
- 90% of the user desktops and notebooks were fully operational.
"Much of what happened in the initial days is mostly a fog for me, but my management will not forget the commitment each and every one of the team put in to give us our business back. I’ve entrusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered. This event was a life saver."
A likely business disaster was averted through the efforts of hard-working experts, a wide spectrum of technical expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here would have been disabled with current security technology and security best practices, staff training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for allowing me to get some sleep after we got over the initial push. All of you did an incredible effort, and if any of your guys is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist