Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that poses an enterprise-level danger for organizations vulnerable to an assault. Different iterations of ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to cause havoc. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus frequent as yet unnamed malware, not only do encryption of online files but also infect many available system restores and backups. Files replicated to the cloud can also be ransomed. In a vulnerable environment, this can render automatic restore operations useless and basically sets the datacenter back to square one.
Restoring services and data after a crypto-ransomware event becomes a race against time as the targeted organization fights to stop the spread and clear the virus and to resume mission-critical operations. Due to the fact that ransomware requires time to spread, assaults are often sprung during weekends and nights, when successful penetrations may take longer to discover. This compounds the difficulty of quickly marshalling and orchestrating an experienced response team.
Progent provides a variety of help services for protecting Waltham enterprises from ransomware events. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with machine learning capabilities to intelligently detect and suppress day-zero cyber attacks. Progent also offers the services of experienced ransomware recovery consultants with the track record and perseverance to reconstruct a breached network as soon as possible.
Progent's Ransomware Restoration Help
Soon after a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not ensure that distant criminals will provide the codes to decrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The other path is to piece back together the vital components of your Information Technology environment. Absent the availability of essential data backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work 24x7 until the task is over.
For two decades, Progent has made available expert IT services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the ability to efficiently understand important systems and integrate the surviving pieces of your IT environment after a ransomware penetration and assemble them into an operational network.
Progent's security group utilizes powerful project management applications to orchestrate the complex restoration process. Progent understands the importance of working swiftly and in unison with a client's management and IT resources to prioritize tasks and to get the most important services back on line as fast as possible.
Client Story: A Successful Crypto-Ransomware Attack Response
A customer engaged Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, suspected of using technology leaked from the United States NSA organization. Ryuk seeks specific companies with little or no tolerance for disruption and is one of the most profitable incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with around 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot thank you enough in regards to the support Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the cyber criminals if not for the confidence the Progent team provided us. That you were able to get our e-mail system and essential applications back quicker than 1 week was amazing. Each expert I spoke to or texted at Progent was amazingly focused on getting my company operational and was working day and night on our behalf."
Progent worked hand in hand the client to quickly get our arms around and prioritize the critical services that had to be restored to make it possible to restart company functions:
To get going, Progent followed AV/Malware Processes incident response industry best practices by stopping the spread and disinfecting systems. Progent then started the steps of rebuilding Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not function without Windows AD, and the client's accounting and MRP applications used Microsoft SQL Server, which depends on Active Directory services for access to the databases.
- Active Directory (AD)
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then performed setup and hard drive recovery on critical servers. All Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Offline Folder Files) on various workstations to recover mail data. A recent off-line backup of the client's accounting/MRP systems made it possible to restore these vital applications back online. Although a lot of work needed to be completed to recover completely from the Ryuk attack, critical systems were recovered rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we made all customer orders."
During the following month key milestones in the restoration project were accomplished through close collaboration between Progent consultants and the customer:
- Self-hosted web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100% restored.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user PCs were back into operation.
"A huge amount of what happened during the initial response is mostly a blur for me, but we will not forget the countless hours each of you put in to give us our company back. Iíve trusted Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a life saver."
A potential enterprise-killing catastrophe was dodged with dedicated experts, a broad spectrum of IT skills, and close teamwork. Although in hindsight the ransomware virus incident detailed here could have been blocked with current cyber security technology and NIST Cybersecurity Framework best practices, staff education, and well thought out security procedures for backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), Iím grateful for making it so I could get rested after we made it through the first week. All of you did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist