Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an existential danger for businesses of all sizes unprepared for an attack. Multiple generations of ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause harm. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with daily as yet unnamed viruses, not only do encryption of online files but also infect many available system backup. Data synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can make any recovery hopeless and basically knocks the datacenter back to zero.
Restoring programs and information following a ransomware attack becomes a sprint against time as the victim fights to contain and cleanup the crypto-ransomware and to resume enterprise-critical activity. Because ransomware requires time to spread, penetrations are frequently sprung on weekends, when successful attacks typically take longer to notice. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.
Progent provides a variety of help services for protecting Thousand Oaks businesses from crypto-ransomware penetrations. Among these are user training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security solutions with AI capabilities to intelligently identify and extinguish zero-day threats. Progent also offers the services of veteran crypto-ransomware recovery professionals with the skills and commitment to rebuild a breached network as rapidly as possible.
Progent's Ransomware Recovery Help
After a ransomware penetration, paying the ransom in cryptocurrency does not ensure that merciless criminals will provide the needed codes to decrypt all your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The alternative is to piece back together the critical components of your IT environment. Without the availability of essential information backups, this calls for a wide complement of skills, professional project management, and the ability to work continuously until the recovery project is done.
For decades, Progent has made available certified expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience gives Progent the capability to rapidly identify necessary systems and organize the surviving parts of your IT system after a crypto-ransomware attack and rebuild them into a functioning system.
Progent's ransomware group has state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of acting swiftly and together with a customerís management and IT team members to prioritize tasks and to get the most important systems back online as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A client contacted Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, suspected of adopting approaches exposed from Americaís NSA organization. Ryuk attacks specific businesses with little tolerance for operational disruption and is one of the most lucrative versions of ransomware viruses. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk attack had disabled all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were encrypted. The client considered paying the ransom (in excess of $200,000) and hoping for the best, but ultimately reached out to Progent.
"I cannot say enough about the support Progent gave us during the most fearful period of (our) companyís existence. We had little choice but to pay the Hackers if not for the confidence the Progent group gave us. That you could get our messaging and important servers back online faster than seven days was beyond my wildest dreams. Every single consultant I got help from or texted at Progent was urgently focused on getting us operational and was working all day and night to bail us out."
Progent worked together with the customer to rapidly identify and assign priority to the essential applications that needed to be restored in order to continue business operations:
To get going, Progent adhered to ransomware penetration mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the task of recovering Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not work without AD, and the client's accounting and MRP software utilized SQL Server, which needs Windows AD for access to the databases.
- Active Directory (AD)
- Microsoft Exchange Email
- MRP System
Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then assisted with reinstallations and storage recovery on essential applications. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST data files (Outlook Off-Line Folder Files) on various workstations in order to recover mail data. A not too old off-line backup of the client's financials/MRP systems made them able to recover these required services back online. Although significant work still had to be done to recover completely from the Ryuk damage, core systems were restored quickly:
"For the most part, the production line operation was never shut down and we produced all customer shipments."
Throughout the next couple of weeks key milestones in the recovery process were achieved in tight collaboration between Progent engineers and the customer:
- In-house web sites were brought back up without losing any data.
- The MailStore Exchange Server containing more than four million archived emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were fully restored.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the desktop computers were functioning as before the incident.
"A huge amount of what happened in the early hours is mostly a fog for me, but we will not soon forget the countless hours all of the team put in to give us our company back. I have trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was the most impressive ever."
A probable enterprise-killing disaster was averted due to dedicated experts, a broad array of technical expertise, and tight teamwork. Although in hindsight the ransomware virus attack detailed here could have been prevented with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and appropriate incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we made it past the initial fire. All of you did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist