Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for many years and continue to cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus additional unnamed newcomers, not only encrypt online data but also infect many accessible system backup. Files synchronized to the cloud can also be encrypted. In a vulnerable system, this can make automated restoration useless and basically sets the network back to zero.
Getting back on-line services and information following a crypto-ransomware intrusion becomes a race against time as the victim fights to stop lateral movement and cleanup the crypto-ransomware and to resume enterprise-critical operations. Since ransomware requires time to spread, attacks are usually launched on weekends and holidays, when penetrations are likely to take more time to identify. This multiplies the difficulty of rapidly marshalling and organizing an experienced mitigation team.
Progent makes available a range of services for protecting Waltham businesses from ransomware penetrations. Among these are team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and quarantine zero-day modern malware assaults. Progent also provides the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to rebuild a breached network as quickly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed keys to decipher any of your files. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The fallback is to piece back together the vital elements of your IT environment. Without the availability of complete information backups, this calls for a broad range of IT skills, professional project management, and the willingness to work continuously until the recovery project is completed.
For decades, Progent has provided certified expert Information Technology services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the skills to efficiently understand critical systems and consolidate the remaining parts of your network system after a ransomware event and rebuild them into a functioning system.
Progent's security team uses powerful project management systems to orchestrate the complicated restoration process. Progent understands the importance of working quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put essential systems back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Attack Restoration
A small business engaged Progent after their network system was brought down by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, suspected of using technology leaked from America's NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is among the most profitable examples of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area and has about 500 staff members. The Ryuk penetration had frozen all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately utilized Progent.
"I cannot tell you enough in regards to the help Progent provided us throughout the most critical period of (our) company's survival. We had little choice but to pay the cybercriminals except for the confidence the Progent group gave us. That you were able to get our e-mail system and production servers back on-line in less than a week was something I thought impossible. Each consultant I worked with or texted at Progent was amazingly focused on getting my company operational and was working 24/7 on our behalf."
Progent worked hand in hand the customer to quickly understand and assign priority to the most important applications that needed to be addressed in order to restart company operations:
To begin, Progent followed ransomware event response best practices by halting the spread and performing virus removal steps. Progent then initiated the steps of bringing back online Windows Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not work without Windows AD, and the customer's financials and MRP software leveraged SQL Server, which requires Windows AD for security authorization to the information.
- Active Directory
- Electronic Messaging
- MRP System
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery of the most important systems. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find local OST data files (Outlook Offline Folder Files) on team workstations to recover mail information. A recent off-line backup of the businesses accounting software made them able to recover these vital applications back on-line. Although a lot of work remained to recover completely from the Ryuk virus, the most important services were restored quickly:
"For the most part, the manufacturing operation did not miss a beat and we produced all customer sales."
Over the following month critical milestones in the restoration project were achieved through tight collaboration between Progent engineers and the client:
- Internal web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% restored.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Ninety percent of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what happened those first few days is mostly a blur for me, but my management will not forget the commitment each and every one of your team put in to help get our business back. I have trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was a Herculean accomplishment."
A possible business extinction disaster was dodged with top-tier professionals, a wide array of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware virus penetration detailed here should have been identified and prevented with modern cyber security technology and best practices, user and IT administrator education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for allowing me to get some sleep after we made it past the most critical parts. All of you did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Waltham
For ransomware recovery consulting in the Waltham metro area, call Progent at 800-462-8800 or see Contact Progent.