Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for organizations unprepared for an assault. Versions of crypto-ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still inflict harm. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as more unnamed newcomers, not only do encryption of online data but also infect many available system protection. Data replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can render automated recovery hopeless and effectively knocks the network back to zero.
Getting back applications and information following a crypto-ransomware intrusion becomes a race against time as the victim struggles to stop the spread and eradicate the ransomware and to resume business-critical operations. Because ransomware needs time to spread, attacks are usually sprung at night, when attacks may take more time to identify. This multiplies the difficulty of promptly marshalling and orchestrating an experienced response team.
Progent makes available an assortment of help services for securing Liverpool enterprises from ransomware penetrations. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with AI capabilities to intelligently detect and extinguish zero-day cyber attacks. Progent in addition offers the assistance of seasoned ransomware recovery consultants with the skills and commitment to restore a compromised system as quickly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will return the needed codes to decrypt any of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The fallback is to piece back together the essential elements of your Information Technology environment. Without access to full data backups, this requires a wide complement of skills, professional project management, and the willingness to work non-stop until the job is finished.
For twenty years, Progent has offered certified expert IT services for businesses across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience provides Progent the capability to quickly identify necessary systems and consolidate the remaining pieces of your IT environment following a crypto-ransomware attack and assemble them into an operational system.
Progent's security team of experts uses top notch project management applications to coordinate the complex recovery process. Progent appreciates the urgency of working swiftly and in concert with a customerís management and IT team members to assign priority to tasks and to get essential applications back on-line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Incident Response
A business sought out Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, suspected of using approaches exposed from Americaís NSA organization. Ryuk seeks specific organizations with little or no tolerance for disruption and is among the most profitable incarnations of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has around 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been on-line at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (more than $200,000) and wishfully thinking for good luck, but in the end reached out to Progent.
"I cannot thank you enough about the support Progent gave us throughout the most fearful period of (our) businesses life. We most likely would have paid the criminal gangs if it wasnít for the confidence the Progent group gave us. That you could get our e-mail and essential applications back in less than 1 week was earth shattering. Each expert I interacted with or texted at Progent was totally committed on getting us restored and was working all day and night on our behalf."
Progent worked hand in hand the client to quickly understand and prioritize the mission critical services that needed to be restored in order to restart departmental functions:
To begin, Progent followed AV/Malware Processes incident response best practices by halting lateral movement and disinfecting systems. Progent then began the task of recovering Microsoft Active Directory, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the businessesí accounting and MRP software utilized Microsoft SQL, which requires Active Directory services for authentication to the databases.
- Microsoft Active Directory
- MRP System
Within 48 hours, Progent was able to rebuild Active Directory to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of critical systems. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Off-Line Folder Files) on user workstations to recover email information. A recent off-line backup of the client's financials/ERP software made it possible to return these required services back available to users. Although major work was left to recover totally from the Ryuk damage, core systems were returned to operations quickly:
"For the most part, the production line operation was never shut down and we produced all customer sales."
During the next month key milestones in the recovery project were made through close cooperation between Progent consultants and the customer:
- Internal web sites were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory functions were completely operational.
- A new Palo Alto 850 firewall was installed.
- 90% of the user desktops and notebooks were back into operation.
"A lot of what transpired that first week is mostly a haze for me, but we will not soon forget the care each and every one of you accomplished to help get our business back. I have been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This situation was no exception but maybe more Herculean."
A probable enterprise-killing catastrophe was evaded through the efforts of results-oriented professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here should have been identified and disabled with current cyber security solutions and NIST Cybersecurity Framework best practices, user training, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), Iím grateful for making it so I could get rested after we got through the most critical parts. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Liverpool
For ransomware system recovery consulting in the Liverpool metro area, phone Progent at 800-462-8800 or go to Contact Progent.