Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses unprepared for an assault. Versions of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as additional as yet unnamed viruses, not only do encryption of on-line information but also infiltrate many accessible system protection mechanisms. Files synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can make automated restoration useless and effectively knocks the network back to square one.
Retrieving programs and data after a ransomware intrusion becomes a sprint against time as the victim tries its best to stop the spread and clear the ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to spread, penetrations are often sprung on weekends, when successful penetrations may take longer to discover. This multiplies the difficulty of promptly marshalling and coordinating a knowledgeable response team.
Progent has a variety of help services for securing Tukwila enterprises from ransomware penetrations. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat defense to discover and extinguish day-zero malware assaults. Progent in addition can provide the assistance of experienced crypto-ransomware recovery engineers with the track record and perseverance to rebuild a breached network as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that cyber hackers will respond with the needed keys to unencrypt any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The alternative is to re-install the critical elements of your Information Technology environment. Without the availability of complete information backups, this requires a wide range of IT skills, professional team management, and the willingness to work 24x7 until the task is finished.
For two decades, Progent has offered certified expert IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise gives Progent the capability to efficiently understand critical systems and organize the surviving components of your IT system following a ransomware attack and rebuild them into a functioning system.
Progent's ransomware team has top notch project management applications to orchestrate the complex recovery process. Progent knows the importance of acting swiftly and in concert with a customer's management and Information Technology staff to prioritize tasks and to get essential services back on line as fast as humanly possible.
Business Case Study: A Successful Ransomware Attack Recovery
A client engaged Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state criminal gangs, possibly using strategies leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little ability to sustain operational disruption and is among the most lucrative instances of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area with around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but ultimately brought in Progent.
"I cannot tell you enough in regards to the care Progent gave us throughout the most stressful period of (our) company's life. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent team gave us. That you could get our e-mail and key applications back into operation sooner than five days was beyond my wildest dreams. Each consultant I got help from or e-mailed at Progent was amazingly focused on getting us working again and was working non-stop on our behalf."
Progent worked with the client to quickly get our arms around and assign priority to the most important services that needed to be recovered in order to restart company operations:
To get going, Progent adhered to ransomware event response industry best practices by isolating and removing active viruses. Progent then began the task of recovering Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not operate without AD, and the customer's MRP software leveraged SQL Server, which depends on Windows AD for authentication to the data.
- Active Directory (AD)
Within two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on the most important applications. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Folder Files) on user PCs in order to recover mail information. A recent offline backup of the customer's accounting/ERP software made them able to recover these essential services back online. Although a lot of work was left to recover totally from the Ryuk attack, core services were returned to operations quickly:
"For the most part, the production line operation was never shut down and we produced all customer deliverables."
Over the next couple of weeks important milestones in the recovery process were completed in close cooperation between Progent consultants and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Server exceeding 4 million historical messages was brought online and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory capabilities were completely restored.
- A new Palo Alto 850 security appliance was brought online.
- Ninety percent of the user desktops and notebooks were operational.
"A lot of what transpired in the initial days is mostly a blur for me, but my team will not forget the dedication each and every one of you accomplished to help get our company back. I have been working together with Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This event was a testament to your capabilities."
A potential business disaster was avoided due to top-tier professionals, a wide array of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here would have been identified and prevented with modern cyber security systems and ISO/IEC 27001 best practices, team education, and appropriate security procedures for information protection and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for letting me get rested after we made it through the initial push. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Tukwila
For ransomware system restoration expertise in the Tukwila metro area, call Progent at 800-462-8800 or visit Contact Progent.