Crypto-Ransomware : Your Feared IT Disaster
Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus daily as yet unnamed newcomers, not only do encryption of online data files but also infect any accessible system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can make automated recovery hopeless and basically knocks the network back to zero.
Recovering programs and data following a crypto-ransomware event becomes a sprint against the clock as the targeted organization fights to contain the damage and eradicate the crypto-ransomware and to restore enterprise-critical operations. Since ransomware takes time to spread, penetrations are often launched on weekends and holidays, when successful penetrations are likely to take more time to identify. This compounds the difficulty of promptly mobilizing and organizing a capable response team.
Progent has a variety of services for protecting Liverpool enterprises from crypto-ransomware events. Among these are staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based cyberthreat protection to detect and disable zero-day modern malware assaults. Progent in addition provides the assistance of experienced ransomware recovery engineers with the track record and commitment to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt all your information. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to piece back together the essential parts of your Information Technology environment. Absent access to essential data backups, this calls for a broad complement of skills, top notch project management, and the capability to work 24x7 until the task is complete.
For twenty years, Progent has made available expert IT services for companies across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained top certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to quickly ascertain necessary systems and consolidate the remaining parts of your Information Technology system after a crypto-ransomware penetration and assemble them into a functioning system.
Progent's security group has powerful project management systems to orchestrate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and together with a customer's management and Information Technology team members to assign priority to tasks and to put critical applications back on line as fast as possible.
Case Study: A Successful Crypto-Ransomware Penetration Restoration
A client escalated to Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state criminal gangs, suspected of using technology exposed from America's NSA organization. Ryuk attacks specific organizations with little or no tolerance for disruption and is one of the most profitable iterations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has around 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. The majority of the client's backups had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I can't speak enough about the care Progent provided us during the most stressful period of (our) businesses life. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent team gave us. That you could get our e-mail and important servers back in less than five days was incredible. Every single staff member I worked with or communicated with at Progent was amazingly focused on getting our company operational and was working 24/7 to bail us out."
Progent worked hand in hand the client to quickly assess and assign priority to the key elements that had to be recovered in order to resume departmental operations:
To get going, Progent adhered to ransomware event response industry best practices by stopping lateral movement and clearing infected systems. Progent then began the steps of recovering Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the customer's financials and MRP applications leveraged Microsoft SQL, which needs Active Directory for authentication to the database.
- Active Directory
- Electronic Mail
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then completed setup and storage recovery on essential servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Email Offline Folder Files) on various desktop computers and laptops to recover mail information. A not too old off-line backup of the customer's financials/ERP systems made them able to return these essential services back on-line. Although major work still had to be done to recover totally from the Ryuk virus, essential services were recovered rapidly:
"For the most part, the assembly line operation showed little impact and we delivered all customer sales."
Over the following month key milestones in the restoration process were accomplished through close collaboration between Progent engineers and the customer:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100% recovered.
- A new Palo Alto Networks 850 firewall was brought online.
- Nearly all of the user desktops were operational.
"So much of what transpired during the initial response is nearly entirely a haze for me, but we will not forget the urgency each and every one of your team put in to help get our company back. I've utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
A probable company-ending catastrophe was avoided due to results-oriented experts, a broad spectrum of IT skills, and close collaboration. Although upon completion of forensics the ransomware attack described here could have been identified and blocked with modern security systems and NIST Cybersecurity Framework best practices, team education, and properly executed incident response procedures for data backup and proper patching controls, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get some sleep after we got over the initial fire. All of you did an impressive job, and if anyone that helped is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Liverpool
For ransomware recovery consulting services in the Liverpool area, call Progent at 800-462-8800 or visit Contact Progent.