Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that represents an extinction-level threat for businesses unprepared for an attack. Multiple generations of ransomware such as Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still cause destruction. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus additional unnamed viruses, not only encrypt online files but also infiltrate any accessible system protection. Information synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable system, this can make automated restore operations hopeless and basically sets the network back to zero.
Restoring applications and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to contain and cleanup the ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are often launched on weekends and holidays, when successful attacks typically take more time to uncover. This compounds the difficulty of rapidly assembling and organizing a knowledgeable mitigation team.
Progent provides a range of services for securing Lower Manhattan enterprises from crypto-ransomware penetrations. These include user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security appliances with artificial intelligence capabilities to automatically discover and disable new threats. Progent also provides the services of experienced crypto-ransomware recovery professionals with the skills and perseverance to rebuild a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed codes to unencrypt any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to piece back together the key elements of your Information Technology environment. Without the availability of essential system backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work 24x7 until the task is done.
For decades, Progent has offered professional IT services for businesses across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise affords Progent the capability to quickly identify necessary systems and organize the remaining parts of your computer network system following a ransomware attack and rebuild them into a functioning network.
Progent's recovery team of experts has best of breed project management tools to coordinate the complex restoration process. Progent appreciates the importance of acting quickly and in unison with a customerís management and IT staff to prioritize tasks and to put the most important systems back on line as fast as possible.
Customer Case Study: A Successful Ransomware Penetration Recovery
A client hired Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state sponsored hackers, suspected of using algorithms exposed from the United States National Security Agency. Ryuk seeks specific organizations with limited room for operational disruption and is among the most lucrative instances of ransomware viruses. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area with around 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were encrypted. The client was taking steps for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but in the end brought in Progent.
"I canít thank you enough about the support Progent gave us throughout the most fearful time of (our) companyís existence. We would have paid the cyber criminals if not for the confidence the Progent team provided us. The fact that you could get our messaging and key servers back online in less than one week was amazing. Each staff member I worked with or communicated with at Progent was hell bent on getting us back online and was working 24 by 7 on our behalf."
Progent worked with the client to rapidly get our arms around and prioritize the essential areas that had to be addressed in order to continue company operations:
To begin, Progent followed Anti-virus event mitigation best practices by stopping lateral movement and disinfecting systems. Progent then began the work of rebuilding Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without Windows AD, and the client's MRP system utilized Microsoft SQL, which depends on Windows AD for access to the information.
- Windows Active Directory
- Microsoft Exchange
- MRP System
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then accomplished setup and storage recovery on mission critical applications. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Data Files) on user desktop computers in order to recover mail information. A not too old offline backup of the client's manufacturing software made it possible to restore these vital services back online for users. Although a lot of work still had to be done to recover fully from the Ryuk damage, core systems were returned to operations quickly:
"For the most part, the production manufacturing operation was never shut down and we produced all customer orders."
During the following month critical milestones in the restoration process were accomplished through tight collaboration between Progent engineers and the customer:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory functions were completely recovered.
- A new Palo Alto 850 security appliance was brought online.
- Most of the user PCs were back into operation.
"A lot of what went on in the early hours is nearly entirely a fog for me, but we will not forget the countless hours each and every one of your team accomplished to give us our business back. I have entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was the most impressive ever."
A possible company-ending catastrophe was avoided with dedicated experts, a broad array of knowledge, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here could have been prevented with advanced security technology solutions and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for making it so I could get some sleep after we got past the initial push. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist