Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus daily unnamed viruses, not only do encryption of on-line files but also infect any accessible system restores and backups. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can render automatic restore operations useless and effectively sets the network back to square one.
Getting back online services and information following a ransomware event becomes a sprint against the clock as the victim tries its best to stop the spread and remove the virus and to restore mission-critical activity. Since crypto-ransomware requires time to replicate, attacks are frequently sprung on weekends and holidays, when penetrations in many cases take more time to recognize. This multiplies the difficulty of quickly assembling and coordinating a knowledgeable response team.
Progent offers an assortment of support services for securing Waltham enterprises from crypto-ransomware penetrations. These include staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based threat defense to detect and extinguish zero-day malware attacks. Progent also provides the services of veteran ransomware recovery consultants with the skills and commitment to restore a breached environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the codes to decrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The other path is to piece back together the mission-critical parts of your Information Technology environment. Without the availability of full system backups, this calls for a wide range of skill sets, top notch team management, and the ability to work 24x7 until the task is complete.
For decades, Progent has offered certified expert Information Technology services for businesses throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise gives Progent the capability to rapidly identify necessary systems and re-organize the remaining components of your network system after a ransomware attack and rebuild them into an operational system.
Progent's ransomware team of experts uses powerful project management systems to orchestrate the complex restoration process. Progent understands the urgency of working rapidly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get key systems back on-line as soon as humanly possible.
Client Story: A Successful Ransomware Attack Response
A business hired Progent after their company was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean state sponsored criminal gangs, possibly adopting technology leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no room for disruption and is among the most profitable iterations of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with about 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom (exceeding $200K) and hoping for the best, but in the end brought in Progent.
"I cannot speak enough about the support Progent provided us throughout the most fearful period of (our) company's life. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent experts gave us. That you were able to get our e-mail system and important applications back on-line quicker than one week was incredible. Every single person I talked with or e-mailed at Progent was laser focused on getting my company operational and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly identify and prioritize the mission critical systems that needed to be addressed in order to restart departmental operations:
To start, Progent adhered to Anti-virus event response industry best practices by stopping lateral movement and removing active viruses. Progent then started the work of bringing back online Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange email will not operate without AD, and the customer's financials and MRP applications utilized SQL Server, which needs Windows AD for security authorization to the database.
- Windows Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then initiated setup and storage recovery of critical systems. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Data Files) on various PCs to recover email information. A not too old offline backup of the businesses manufacturing software made it possible to recover these essential applications back online. Although significant work needed to be completed to recover totally from the Ryuk damage, core services were returned to operations quickly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer orders."
Throughout the next few weeks key milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:
- In-house web applications were brought back up with no loss of data.
- The MailStore Exchange Server with over four million historical emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Ninety percent of the desktop computers were being used by staff.
"A huge amount of what went on in the early hours is mostly a haze for me, but our team will not soon forget the dedication each and every one of the team accomplished to help get our company back. I've been working with Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This event was the most impressive ever."
A likely company-ending disaster was dodged with results-oriented experts, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware incident described here could have been identified and stopped with modern security systems and security best practices, user training, and properly executed incident response procedures for data protection and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for letting me get some sleep after we made it over the first week. All of you did an amazing effort, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Waltham
For ransomware system recovery expertise in the Waltham metro area, phone Progent at 800-462-8800 or see Contact Progent.