Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for organizations unprepared for an assault. Multiple generations of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause havoc. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with more unnamed newcomers, not only encrypt online files but also infect most accessible system backups. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, it can render any restore operations useless and effectively knocks the datacenter back to zero.
Recovering applications and data following a ransomware attack becomes a sprint against time as the targeted organization tries its best to stop the spread and clear the crypto-ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to replicate, assaults are frequently launched during nights and weekends, when attacks typically take longer to notice. This compounds the difficulty of rapidly mobilizing and organizing a knowledgeable response team.
Progent offers an assortment of help services for securing Thousand Oaks enterprises from crypto-ransomware penetrations. These include user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with machine learning capabilities to rapidly discover and disable zero-day cyber threats. Progent also can provide the services of veteran ransomware recovery consultants with the talent and commitment to restore a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the keys to unencrypt any of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the essential parts of your IT environment. Without the availability of essential data backups, this calls for a wide complement of IT skills, well-coordinated project management, and the willingness to work continuously until the recovery project is over.
For two decades, Progent has provided professional Information Technology services for companies across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to efficiently identify critical systems and integrate the remaining parts of your Information Technology system after a ransomware penetration and assemble them into a functioning network.
Progent's recovery team utilizes best of breed project management systems to coordinate the complicated restoration process. Progent appreciates the importance of acting rapidly and together with a customerís management and IT staff to assign priority to tasks and to put the most important applications back on line as fast as possible.
Customer Story: A Successful Ransomware Attack Restoration
A customer sought out Progent after their organization was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is one of the most lucrative versions of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had disabled all business operations and manufacturing processes. Most of the client's data backups had been online at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
"I canít speak enough in regards to the expertise Progent gave us throughout the most stressful time of (our) businesses life. We would have paid the criminal gangs if not for the confidence the Progent group gave us. That you could get our e-mail system and critical applications back faster than a week was incredible. Each consultant I worked with or e-mailed at Progent was amazingly focused on getting our company operational and was working day and night to bail us out."
Progent worked with the client to quickly identify and prioritize the key areas that needed to be recovered to make it possible to resume business operations:
To start, Progent followed Anti-virus incident response industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of restoring Microsoft AD, the core of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not function without Windows AD, and the customerís financials and MRP applications utilized Microsoft SQL, which needs Active Directory for security authorization to the database.
- Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and storage recovery on the most important systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Folder Files) on various PCs to recover mail data. A not too old off-line backup of the client's accounting software made them able to return these vital services back online. Although significant work still had to be done to recover fully from the Ryuk virus, critical services were recovered rapidly:
"For the most part, the manufacturing operation showed little impact and we produced all customer sales."
During the following month critical milestones in the restoration process were completed in close collaboration between Progent consultants and the customer:
- Self-hosted web sites were restored without losing any information.
- The MailStore Server exceeding four million archived emails was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were fully operational.
- A new Palo Alto 850 firewall was installed and configured.
- Nearly all of the desktops and laptops were being used by staff.
"Much of what occurred in the early hours is mostly a blur for me, but we will not forget the commitment all of you accomplished to help get our business back. Iíve utilized Progent for at least 10 years, possibly more, and every time Progent has shined and delivered. This time was a Herculean accomplishment."
A probable company-ending catastrophe was evaded due to dedicated professionals, a wide range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration described here would have been blocked with current security solutions and recognized best practices, user and IT administrator training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for making it so I could get some sleep after we made it over the initial push. All of you did an impressive job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist