Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that represents an existential danger for organizations unprepared for an attack. Multiple generations of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, plus frequent as yet unnamed viruses, not only do encryption of online files but also infiltrate many accessible system protection. Files synched to cloud environments can also be encrypted. In a vulnerable environment, it can render any restore operations impossible and basically sets the network back to zero.
Getting back on-line services and data following a ransomware intrusion becomes a sprint against time as the victim tries its best to stop lateral movement and clear the ransomware and to resume mission-critical operations. Because crypto-ransomware requires time to move laterally, assaults are frequently launched during weekends and nights, when penetrations tend to take longer to identify. This multiplies the difficulty of promptly assembling and organizing a qualified mitigation team.
Progent has a variety of services for securing Tukwila organizations from ransomware attacks. Among these are user education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning capabilities to automatically detect and extinguish day-zero threats. Progent also provides the assistance of veteran ransomware recovery consultants with the skills and commitment to reconstruct a breached network as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware event, sending the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to decipher any or all of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to re-install the key components of your Information Technology environment. Without access to full data backups, this requires a broad range of skills, well-coordinated project management, and the capability to work 24x7 until the task is done.
For two decades, Progent has provided certified expert IT services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise affords Progent the ability to knowledgably understand necessary systems and organize the remaining pieces of your IT environment after a ransomware penetration and assemble them into an operational network.
Progent's security group has state-of-the-art project management applications to orchestrate the sophisticated restoration process. Progent knows the importance of working swiftly and together with a customerís management and Information Technology resources to prioritize tasks and to put key services back on-line as soon as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer sought out Progent after their company was taken over by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored hackers, suspected of using approaches exposed from the United States National Security Agency. Ryuk seeks specific businesses with little tolerance for disruption and is one of the most profitable versions of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk intrusion had shut down all business operations and manufacturing processes. Most of the client's system backups had been online at the start of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but ultimately engaged Progent.
"I canít speak enough in regards to the support Progent gave us throughout the most fearful period of (our) businesses existence. We may have had to pay the Hackers if it wasnít for the confidence the Progent team gave us. That you could get our e-mail and key servers back sooner than one week was earth shattering. Every single consultant I interacted with or messaged at Progent was urgently focused on getting my company operational and was working all day and night to bail us out."
Progent worked together with the client to quickly identify and prioritize the mission critical areas that had to be recovered in order to continue business operations:
To start, Progent followed Anti-virus penetration response best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the client's MRP system leveraged SQL Server, which requires Windows AD for access to the data.
- Windows Active Directory
- Microsoft Exchange Server
- MRP System
In less than two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then initiated reinstallations and storage recovery on essential systems. All Exchange ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Data Files) on user PCs and laptops in order to recover email data. A recent off-line backup of the customerís accounting/MRP systems made them able to recover these essential services back available to users. Although significant work still had to be done to recover totally from the Ryuk attack, critical systems were restored quickly:
"For the most part, the production line operation survived unscathed and we did not miss any customer orders."
Over the next month key milestones in the restoration process were accomplished in close cooperation between Progent consultants and the client:
- Internal web applications were restored with no loss of data.
- The MailStore Server with over 4 million historical emails was brought online and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully restored.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the user desktops were operational.
"A lot of what transpired that first week is mostly a blur for me, but I will not forget the dedication each of you accomplished to help get our company back. Iíve trusted Progent for the past ten years, possibly more, and each time Progent has shined and delivered as promised. This time was a Herculean accomplishment."
A likely business disaster was averted with top-tier experts, a broad spectrum of knowledge, and tight teamwork. Although in retrospect the crypto-ransomware virus incident described here could have been shut down with advanced security technology and best practices, user training, and properly executed security procedures for data protection and applying software patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get rested after we got past the first week. All of you did an incredible effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist