Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become an escalating cyberplague that represents an enterprise-level danger for businesses unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, along with frequent as yet unnamed newcomers, not only encrypt on-line information but also infiltrate many configured system protection. Data synched to cloud environments can also be encrypted. In a poorly architected system, it can make automatic recovery hopeless and basically knocks the datacenter back to square one.
Getting back online programs and data after a ransomware intrusion becomes a race against time as the targeted organization struggles to stop lateral movement and cleanup the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to replicate, assaults are often launched during nights and weekends, when penetrations tend to take more time to recognize. This multiplies the difficulty of promptly marshalling and orchestrating a capable mitigation team.
Progent offers a variety of help services for protecting Boise businesses from crypto-ransomware attacks. These include team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security appliances with artificial intelligence capabilities to automatically identify and extinguish zero-day cyber threats. Progent in addition offers the assistance of veteran crypto-ransomware recovery professionals with the talent and perseverance to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the codes to decrypt any of your information. Kaspersky determined that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to re-install the key parts of your IT environment. Without the availability of complete data backups, this requires a broad range of IT skills, well-coordinated team management, and the capability to work 24x7 until the job is finished.
For twenty years, Progent has offered professional IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience provides Progent the skills to quickly determine important systems and re-organize the remaining pieces of your Information Technology environment after a ransomware attack and rebuild them into an operational system.
Progent's ransomware team has powerful project management systems to orchestrate the complex restoration process. Progent knows the importance of working rapidly and together with a customerís management and IT resources to assign priority to tasks and to put the most important applications back online as soon as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Recovery
A customer sought out Progent after their company was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk attacks specific organizations with little or no ability to sustain operational disruption and is among the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but in the end engaged Progent.
"I cannot say enough about the help Progent gave us during the most stressful time of (our) businesses existence. We may have had to pay the Hackers if it wasnít for the confidence the Progent experts afforded us. That you could get our e-mail system and important applications back online quicker than one week was earth shattering. Each consultant I got help from or e-mailed at Progent was laser focused on getting my company operational and was working 24/7 on our behalf."
Progent worked with the client to quickly assess and assign priority to the critical areas that had to be addressed to make it possible to continue departmental functions:
To start, Progent followed Anti-virus event response best practices by halting lateral movement and performing virus removal steps. Progent then initiated the work of recovering Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange email will not function without AD, and the client's accounting and MRP applications used SQL Server, which requires Active Directory for authentication to the information.
- Active Directory
- Electronic Mail
- MRP System
In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery of mission critical servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on staff workstations to recover mail data. A recent offline backup of the customerís accounting software made them able to restore these required applications back online. Although significant work was left to recover completely from the Ryuk virus, core systems were recovered rapidly:
"For the most part, the assembly line operation never missed a beat and we made all customer orders."
Throughout the following month critical milestones in the restoration process were completed in close cooperation between Progent engineers and the customer:
- In-house web sites were returned to operation without losing any data.
- The MailStore Server exceeding four million historical messages was brought online and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were completely operational.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the user desktops were functioning as before the incident.
"Much of what happened in the initial days is mostly a haze for me, but my team will not forget the urgency each and every one of you put in to give us our company back. Iíve trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."
A possible business catastrophe was averted by top-tier experts, a broad spectrum of knowledge, and close collaboration. Although in hindsight the crypto-ransomware virus penetration described here would have been identified and blocked with up-to-date security technology and recognized best practices, user education, and properly executed incident response procedures for backup and applying software patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for letting me get some sleep after we made it through the initial push. All of you did an fabulous effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist