Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for organizations poorly prepared for an assault. Different iterations of ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still cause destruction. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus more unnamed viruses, not only do encryption of online files but also infect any accessible system protection. Data synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, this can render automated restoration impossible and effectively knocks the entire system back to square one.
Getting back programs and information after a ransomware event becomes a sprint against time as the victim fights to contain the damage and clear the ransomware and to resume business-critical operations. Because crypto-ransomware takes time to move laterally, assaults are often sprung during weekends and nights, when successful penetrations are likely to take more time to notice. This compounds the difficulty of quickly assembling and orchestrating an experienced response team.
Progent provides a range of solutions for securing Madison enterprises from ransomware events. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's behavior-based cyberthreat protection to detect and disable zero-day malware assaults. Progent in addition provides the services of expert crypto-ransomware recovery consultants with the talent and perseverance to re-deploy a breached network as quickly as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that cyber hackers will respond with the keys to unencrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The alternative is to setup from scratch the critical components of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide range of skills, well-coordinated project management, and the ability to work continuously until the recovery project is finished.
For twenty years, Progent has provided professional IT services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the skills to rapidly identify important systems and consolidate the surviving pieces of your computer network system following a ransomware penetration and assemble them into an operational system.
Progent's security group uses powerful project management tools to coordinate the complex restoration process. Progent appreciates the importance of acting rapidly and together with a client's management and Information Technology team members to prioritize tasks and to get critical systems back on line as soon as possible.
Case Study: A Successful Ransomware Incident Recovery
A client sought out Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little or no room for disruption and is among the most lucrative versions of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area and has around 500 employees. The Ryuk penetration had frozen all business operations and manufacturing processes. Most of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately made the decision to use Progent.
"I can't speak enough in regards to the support Progent provided us throughout the most stressful time of (our) businesses existence. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent team gave us. The fact that you could get our e-mail and important applications back quicker than a week was amazing. Each expert I talked with or e-mailed at Progent was amazingly focused on getting us back online and was working 24 by 7 on our behalf."
Progent worked together with the customer to quickly assess and assign priority to the mission critical systems that needed to be addressed to make it possible to continue departmental functions:
To start, Progent followed AV/Malware Processes penetration mitigation best practices by stopping the spread and clearing up compromised systems. Progent then started the work of recovering Windows Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange messaging will not work without Windows AD, and the customer's MRP software utilized SQL Server, which needs Active Directory for security authorization to the information.
- Windows Active Directory
- Exchange Server
Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery of key systems. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs in order to recover mail data. A not too old off-line backup of the client's accounting/MRP systems made them able to return these vital applications back on-line. Although significant work was left to recover completely from the Ryuk virus, critical services were returned to operations rapidly:
"For the most part, the production manufacturing operation was never shut down and we made all customer deliverables."
Over the following month key milestones in the restoration project were achieved in tight collaboration between Progent team members and the customer:
- Internal web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Most of the desktops and laptops were back into operation.
"So much of what was accomplished those first few days is mostly a fog for me, but we will not forget the care each of you accomplished to give us our company back. I've utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was a Herculean accomplishment."
A possible business-killing catastrophe was dodged with results-oriented experts, a broad range of IT skills, and close teamwork. Although upon completion of forensics the ransomware penetration detailed here would have been shut down with modern security technology solutions and security best practices, staff training, and well thought out incident response procedures for information backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I'm grateful for letting me get some sleep after we made it over the initial fire. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Madison
For ransomware recovery services in the Madison area, call Progent at 800-462-8800 or see Contact Progent.