Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations unprepared for an assault. Versions of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to cause harm. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as more as yet unnamed malware, not only do encryption of on-line data files but also infiltrate many available system restores and backups. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can make automated restoration useless and basically knocks the entire system back to zero.
Getting back on-line applications and information after a ransomware event becomes a race against the clock as the victim struggles to stop lateral movement and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware needs time to replicate, attacks are often launched during nights and weekends, when attacks may take longer to recognize. This compounds the difficulty of promptly mobilizing and coordinating a capable mitigation team.
Progent has a variety of services for securing Tukwila organizations from ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence capabilities to automatically identify and quarantine day-zero threats. Progent also provides the assistance of experienced ransomware recovery engineers with the talent and commitment to rebuild a breached environment as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed codes to decipher all your information. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The other path is to piece back together the mission-critical parts of your IT environment. Absent access to full information backups, this requires a broad complement of skill sets, well-coordinated project management, and the capability to work non-stop until the recovery project is over.
For twenty years, Progent has made available professional Information Technology services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to quickly ascertain critical systems and re-organize the surviving parts of your network system following a ransomware attack and assemble them into a functioning network.
Progent's security team utilizes best of breed project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get key systems back online as fast as possible.
Customer Case Study: A Successful Ransomware Virus Restoration
A customer engaged Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, suspected of using technology exposed from the United States National Security Agency. Ryuk goes after specific companies with little room for operational disruption and is one of the most profitable incarnations of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago with around 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.
"I canít thank you enough about the expertise Progent gave us throughout the most stressful time of (our) companyís life. We may have had to pay the hackers behind this attack except for the confidence the Progent team afforded us. The fact that you could get our e-mail and production applications back on-line sooner than 1 week was beyond my wildest dreams. Every single expert I talked with or messaged at Progent was urgently focused on getting my company operational and was working 24/7 on our behalf."
Progent worked with the customer to rapidly understand and prioritize the most important applications that had to be recovered to make it possible to resume departmental operations:
To begin, Progent followed ransomware penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then initiated the steps of restoring Microsoft AD, the foundation of enterprise networks built upon Microsoft technology. Exchange email will not work without AD, and the businessesí financials and MRP applications utilized Microsoft SQL Server, which needs Windows AD for access to the information.
- Active Directory (AD)
- Microsoft Exchange Server
- MRP System
In less than two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and storage recovery of key systems. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Data Files) on various desktop computers to recover mail data. A not too old offline backup of the businesses manufacturing systems made it possible to return these essential programs back online. Although a lot of work remained to recover totally from the Ryuk damage, the most important systems were restored rapidly:
"For the most part, the production manufacturing operation survived unscathed and we produced all customer shipments."
Over the next month critical milestones in the recovery process were completed through tight cooperation between Progent team members and the customer:
- Internal web sites were restored with no loss of data.
- The MailStore Server containing more than 4 million historical messages was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were fully functional.
- A new Palo Alto 850 firewall was brought online.
- Ninety percent of the user PCs were operational.
"So much of what went on during the initial response is nearly entirely a haze for me, but my team will not soon forget the countless hours all of the team put in to help get our company back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."
A possible business catastrophe was evaded due to hard-working professionals, a broad array of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack described here should have been prevented with modern security technology and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed security procedures for information backup and applying software patches, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for making it so I could get rested after we got past the initial push. Everyone did an impressive effort, and if anyone is around the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Tukwila
For ransomware cleanup consulting in the Tukwila area, call Progent at 800-462-8800 or see Contact Progent.