Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for organizations vulnerable to an assault. Versions of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as frequent as yet unnamed newcomers, not only encrypt on-line files but also infiltrate any configured system backups. Files synchronized to the cloud can also be encrypted. In a poorly designed data protection solution, this can make automated recovery useless and effectively sets the entire system back to square one.
Getting back programs and information after a crypto-ransomware event becomes a race against time as the victim struggles to stop lateral movement and remove the ransomware and to resume enterprise-critical operations. Since ransomware needs time to replicate, attacks are frequently launched at night, when successful attacks are likely to take more time to recognize. This multiplies the difficulty of rapidly mobilizing and organizing a capable response team.
Progent offers a range of solutions for protecting Miami Beach enterprises from ransomware attacks. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with artificial intelligence capabilities to automatically discover and extinguish zero-day threats. Progent also offers the services of experienced ransomware recovery professionals with the talent and perseverance to reconstruct a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the keys to decipher any of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to piece back together the essential parts of your IT environment. Without the availability of complete data backups, this calls for a wide complement of skills, top notch team management, and the ability to work 24x7 until the recovery project is completed.
For decades, Progent has provided professional Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the ability to rapidly identify critical systems and consolidate the remaining parts of your Information Technology system following a ransomware event and assemble them into a functioning network.
Progent's recovery team of experts uses best of breed project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of working rapidly and together with a customerís management and Information Technology team members to prioritize tasks and to put the most important systems back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Attack Restoration
A small business sought out Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state criminal gangs, suspected of using technology exposed from the United States National Security Agency. Ryuk seeks specific organizations with little or no room for operational disruption and is one of the most lucrative versions of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with around 500 workers. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's data protection had been online at the start of the intrusion and were encrypted. The client considered paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but in the end engaged Progent.
"I canít speak enough in regards to the expertise Progent provided us throughout the most fearful time of (our) companyís life. We may have had to pay the cyber criminals except for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and essential servers back into operation in less than a week was amazing. Every single consultant I worked with or e-mailed at Progent was absolutely committed on getting us restored and was working 24 by 7 to bail us out."
Progent worked hand in hand the client to rapidly understand and assign priority to the key applications that had to be addressed to make it possible to restart business operations:
To start, Progent adhered to AV/Malware Processes incident mitigation best practices by isolating and performing virus removal steps. Progent then started the process of recovering Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft technology. Exchange messaging will not operate without AD, and the client's accounting and MRP software used Microsoft SQL Server, which depends on Windows AD for security authorization to the database.
- Active Directory (AD)
- Exchange Server
Within two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery of the most important systems. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate local OST files (Outlook Offline Data Files) on various workstations in order to recover email messages. A recent offline backup of the businesses financials/ERP software made it possible to recover these vital services back online. Although a large amount of work needed to be completed to recover totally from the Ryuk event, core services were returned to operations rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer shipments."
Throughout the following month critical milestones in the restoration process were accomplished through tight collaboration between Progent engineers and the client:
- In-house web applications were brought back up with no loss of data.
- The MailStore Exchange Server with over 4 million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were 100 percent operational.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Most of the user PCs were operational.
"So much of what went on during the initial response is nearly entirely a fog for me, but our team will not forget the countless hours all of you accomplished to give us our company back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."
A possible company-ending disaster was evaded by dedicated experts, a broad spectrum of IT skills, and close collaboration. Although in hindsight the ransomware virus attack detailed here could have been identified and stopped with modern cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus defense, cleanup, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get some sleep after we made it past the first week. All of you did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist