Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to inflict damage. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as more unnamed newcomers, not only do encryption of online files but also infect many configured system backup. Files synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, it can make automatic recovery impossible and effectively sets the network back to square one.
Getting back applications and information after a ransomware outage becomes a sprint against the clock as the targeted business fights to stop the spread and remove the ransomware and to resume enterprise-critical operations. Because ransomware takes time to spread, penetrations are frequently launched during weekends and nights, when successful penetrations are likely to take longer to detect. This compounds the difficulty of promptly marshalling and coordinating an experienced mitigation team.
Progent provides an assortment of support services for securing Huntington Beach enterprises from ransomware attacks. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence capabilities to intelligently identify and quarantine zero-day cyber threats. Progent in addition offers the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to re-deploy a compromised network as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the keys to unencrypt all your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The other path is to re-install the key elements of your IT environment. Absent access to full system backups, this requires a broad range of skills, top notch team management, and the ability to work non-stop until the task is over.
For twenty years, Progent has offered certified expert Information Technology services for businesses across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience provides Progent the capability to rapidly ascertain critical systems and consolidate the remaining parts of your computer network system following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's recovery group utilizes top notch project management tools to orchestrate the sophisticated restoration process. Progent appreciates the urgency of acting swiftly and together with a customerís management and IT team members to assign priority to tasks and to put key systems back online as soon as possible.
Client Story: A Successful Ransomware Intrusion Restoration
A business contacted Progent after their organization was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored hackers, suspected of adopting techniques exposed from Americaís National Security Agency. Ryuk goes after specific organizations with limited tolerance for disruption and is among the most lucrative incarnations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has around 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but in the end engaged Progent.
"I canít speak enough in regards to the help Progent provided us throughout the most fearful time of (our) businesses existence. We most likely would have paid the cyber criminals if not for the confidence the Progent group provided us. The fact that you could get our e-mail and key applications back on-line sooner than 1 week was amazing. Every single expert I got help from or e-mailed at Progent was hell bent on getting our system up and was working all day and night to bail us out."
Progent worked hand in hand the customer to quickly identify and prioritize the most important elements that had to be addressed to make it possible to resume company operations:
To get going, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping lateral movement and clearing infected systems. Progent then began the task of bringing back online Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the customerís financials and MRP applications leveraged SQL Server, which needs Active Directory for authentication to the databases.
- Microsoft Active Directory
- Exchange Server
In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery on needed systems. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops in order to recover email messages. A recent offline backup of the customerís accounting software made them able to return these required programs back online for users. Although significant work remained to recover fully from the Ryuk event, core services were recovered rapidly:
"For the most part, the assembly line operation showed little impact and we did not miss any customer sales."
Throughout the following few weeks important milestones in the restoration process were accomplished through tight collaboration between Progent consultants and the client:
- Internal web sites were restored without losing any data.
- The MailStore Server exceeding four million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were 100 percent restored.
- A new Palo Alto 850 firewall was installed and configured.
- Nearly all of the user PCs were back into operation.
"Much of what was accomplished that first week is nearly entirely a haze for me, but our team will not soon forget the dedication each and every one of your team accomplished to give us our company back. Iíve been working with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was the most impressive ever."
A likely business disaster was avoided through the efforts of hard-working experts, a broad spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus penetration detailed here would have been identified and stopped with up-to-date cyber security solutions and best practices, team education, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thanks very much for letting me get rested after we got over the initial fire. All of you did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist