Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become a too-frequent cyber pandemic that represents an existential danger for businesses unprepared for an attack. Different versions of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as frequent as yet unnamed malware, not only do encryption of on-line information but also infect most accessible system restores and backups. Information synchronized to cloud environments can also be encrypted. In a poorly architected environment, this can render automatic restore operations hopeless and basically knocks the datacenter back to zero.
Retrieving applications and data after a ransomware outage becomes a race against the clock as the targeted organization tries its best to contain the damage and clear the crypto-ransomware and to resume mission-critical activity. Since ransomware needs time to replicate, penetrations are frequently launched during weekends and nights, when penetrations typically take more time to discover. This compounds the difficulty of quickly assembling and coordinating a knowledgeable response team.
Progent provides an assortment of help services for securing Jersey City businesses from crypto-ransomware attacks. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat protection to detect and quarantine zero-day malware attacks. Progent in addition offers the services of experienced ransomware recovery engineers with the talent and commitment to re-deploy a compromised network as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware penetration, sending the ransom in cryptocurrency does not guarantee that merciless criminals will provide the codes to decipher any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to piece back together the mission-critical elements of your IT environment. Without access to essential system backups, this calls for a wide complement of skill sets, well-coordinated team management, and the willingness to work 24x7 until the job is over.
For decades, Progent has offered certified expert Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise provides Progent the skills to knowledgably identify important systems and organize the surviving pieces of your network system after a ransomware attack and assemble them into a functioning network.
Progent's ransomware team of experts deploys best of breed project management systems to orchestrate the complicated recovery process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get key applications back on line as soon as humanly possible.
Case Study: A Successful Ransomware Intrusion Response
A small business sought out Progent after their company was crashed by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state cybercriminals, possibly adopting techniques exposed from the U.S. National Security Agency. Ryuk attacks specific companies with little or no room for disruption and is among the most lucrative iterations of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area with about 500 employees. The Ryuk penetration had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been on-line at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200,000) and praying for the best, but ultimately brought in Progent.
"I can't speak enough in regards to the support Progent provided us during the most fearful time of (our) businesses survival. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent team gave us. The fact that you could get our e-mail and essential applications back online in less than one week was earth shattering. Each expert I worked with or communicated with at Progent was absolutely committed on getting our company operational and was working non-stop on our behalf."
Progent worked with the client to quickly identify and assign priority to the essential areas that needed to be addressed to make it possible to restart company operations:
To get going, Progent adhered to ransomware event response industry best practices by halting lateral movement and disinfecting systems. Progent then began the task of bringing back online Microsoft Active Directory, the heart of enterprise networks built on Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the customer's financials and MRP applications utilized Microsoft SQL, which needs Active Directory for authentication to the database.
- Microsoft Active Directory
- Exchange Server
Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed reinstallations and hard drive recovery of key servers. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Offline Data Files) on staff workstations to recover email data. A recent offline backup of the customer's accounting/MRP software made them able to return these essential applications back available to users. Although significant work remained to recover completely from the Ryuk attack, core services were returned to operations rapidly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer orders."
Throughout the next month key milestones in the recovery project were completed in tight cooperation between Progent team members and the client:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Exchange Server exceeding 4 million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were 100% restored.
- A new Palo Alto 850 firewall was installed and configured.
- Nearly all of the desktops and laptops were back into operation.
"Much of what happened in the early hours is mostly a fog for me, but I will not forget the care all of the team put in to help get our business back. I have utilized Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This situation was no exception but maybe more Herculean."
A potential business extinction catastrophe was averted due to hard-working professionals, a wide array of technical expertise, and tight collaboration. Although in post mortem the ransomware virus penetration described here should have been shut down with current security technology and ISO/IEC 27001 best practices, team education, and well thought out incident response procedures for data protection and proper patching controls, the reality remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), I'm grateful for making it so I could get rested after we got past the most critical parts. All of you did an incredible effort, and if anyone is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Jersey City
For ransomware cleanup consulting services in the Jersey City metro area, phone Progent at 800-462-8800 or visit Contact Progent.