Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause harm. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, along with more unnamed malware, not only do encryption of online data but also infiltrate all accessible system protection mechanisms. Files synched to the cloud can also be rendered useless. In a poorly architected environment, this can make any restoration useless and effectively sets the datacenter back to square one.
Getting back on-line applications and information after a ransomware intrusion becomes a sprint against time as the targeted business struggles to contain and eradicate the crypto-ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware requires time to move laterally, attacks are frequently sprung on weekends, when penetrations in many cases take more time to recognize. This multiplies the difficulty of rapidly mobilizing and coordinating a qualified response team.
Progent has a variety of services for securing Allen organizations from crypto-ransomware attacks. These include user education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat protection to identify and extinguish day-zero malware assaults. Progent in addition offers the assistance of experienced ransomware recovery engineers with the talent and perseverance to rebuild a breached environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will provide the needed keys to decipher any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to piece back together the vital components of your IT environment. Without the availability of essential information backups, this requires a broad complement of IT skills, top notch team management, and the willingness to work continuously until the job is over.
For two decades, Progent has offered professional IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise gives Progent the ability to quickly ascertain critical systems and re-organize the surviving components of your IT system after a ransomware event and configure them into a functioning system.
Progent's ransomware group utilizes top notch project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of working rapidly and in concert with a customer's management and IT staff to assign priority to tasks and to get key services back online as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A client contacted Progent after their network was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, suspected of using technology leaked from the United States NSA organization. Ryuk seeks specific organizations with little or no room for disruption and is one of the most profitable incarnations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 employees. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. Most of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.
"I cannot thank you enough in regards to the help Progent provided us throughout the most fearful period of (our) company's existence. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group gave us. The fact that you were able to get our e-mail and critical applications back faster than five days was earth shattering. Every single expert I worked with or e-mailed at Progent was hell bent on getting us operational and was working all day and night on our behalf."
Progent worked hand in hand the client to rapidly assess and prioritize the key areas that had to be recovered in order to resume company functions:
To get going, Progent followed ransomware event mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then started the task of recovering Microsoft AD, the key technology of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Active Directory, and the client's financials and MRP system utilized Microsoft SQL, which requires Active Directory for authentication to the information.
- Active Directory
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then helped perform reinstallations and hard drive recovery of the most important systems. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find local OST data files (Outlook Off-Line Data Files) on user workstations and laptops in order to recover mail information. A recent off-line backup of the client's manufacturing software made them able to return these required programs back online. Although major work needed to be completed to recover fully from the Ryuk attack, essential services were recovered quickly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer orders."
Throughout the next few weeks critical milestones in the restoration process were made in tight collaboration between Progent team members and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Exchange Server exceeding 4 million historical emails was brought online and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were completely recovered.
- A new Palo Alto 850 security appliance was brought online.
- Ninety percent of the desktops and laptops were being used by staff.
"So much of what went on those first few days is nearly entirely a fog for me, but our team will not forget the dedication each and every one of your team accomplished to help get our business back. I've entrusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A potential company-ending disaster was avoided by top-tier experts, a wide spectrum of technical expertise, and close collaboration. Although in hindsight the crypto-ransomware virus incident detailed here could have been identified and disabled with current cyber security technology and ISO/IEC 27001 best practices, user training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), I'm grateful for allowing me to get some sleep after we made it past the first week. All of you did an fabulous job, and if anyone is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Allen
For ransomware system recovery consulting in the Allen area, phone Progent at 800-462-8800 or see Contact Progent.