Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a modern cyber pandemic that poses an existential danger for organizations unprepared for an assault. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as daily unnamed malware, not only encrypt online data files but also infect many accessible system backup. Files replicated to cloud environments can also be rendered useless. In a vulnerable system, this can render automated restore operations impossible and effectively knocks the entire system back to square one.
Getting back online services and information following a crypto-ransomware event becomes a sprint against time as the targeted business fights to contain and eradicate the ransomware and to resume mission-critical activity. Because ransomware needs time to replicate, penetrations are frequently sprung at night, when attacks tend to take more time to detect. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced response team.
Progent offers an assortment of solutions for securing Lower Manhattan enterprises from ransomware penetrations. Among these are staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based threat defense to discover and suppress day-zero malware attacks. Progent in addition offers the services of expert ransomware recovery consultants with the talent and commitment to re-deploy a compromised network as rapidly as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decipher any of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to setup from scratch the critical components of your Information Technology environment. Without the availability of full information backups, this requires a broad complement of skills, professional project management, and the ability to work continuously until the task is over.
For decades, Progent has made available certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience gives Progent the skills to efficiently identify necessary systems and re-organize the surviving parts of your network system following a ransomware event and assemble them into a functioning network.
Progent's security team of experts utilizes state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the urgency of acting quickly and in concert with a client's management and Information Technology staff to prioritize tasks and to get critical systems back online as fast as humanly possible.
Case Study: A Successful Ransomware Incident Response
A small business hired Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly using technology exposed from the U.S. NSA organization. Ryuk goes after specific companies with limited tolerance for disruption and is among the most profitable instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago with about 500 workers. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the start of the intrusion and were destroyed. The client considered paying the ransom (more than $200K) and praying for good luck, but ultimately engaged Progent.
"I can't thank you enough about the help Progent gave us during the most fearful period of (our) businesses existence. We may have had to pay the Hackers except for the confidence the Progent team gave us. That you could get our e-mail and important servers back into operation in less than one week was beyond my wildest dreams. Every single staff member I interacted with or communicated with at Progent was absolutely committed on getting our system up and was working all day and night on our behalf."
Progent worked together with the customer to rapidly get our arms around and assign priority to the mission critical services that needed to be restored to make it possible to resume company functions:
To begin, Progent followed ransomware event mitigation industry best practices by isolating and clearing up compromised systems. Progent then began the work of restoring Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the customer's MRP software utilized SQL Server, which needs Active Directory services for authentication to the data.
- Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then performed reinstallations and storage recovery on needed systems. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Offline Data Files) on team PCs in order to recover mail information. A not too old offline backup of the customer's accounting/ERP systems made them able to return these essential programs back servicing users. Although significant work was left to recover fully from the Ryuk attack, essential services were recovered quickly:
"For the most part, the production operation never missed a beat and we produced all customer sales."
During the following month key milestones in the recovery process were accomplished in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Server with over 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were fully restored.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Nearly all of the user desktops were functioning as before the incident.
"A huge amount of what happened that first week is nearly entirely a haze for me, but our team will not soon forget the dedication all of your team accomplished to give us our business back. I've been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was no exception but maybe more Herculean."
A possible business extinction catastrophe was evaded through the efforts of dedicated experts, a wide spectrum of knowledge, and close collaboration. Although in retrospect the ransomware penetration detailed here would have been shut down with up-to-date cyber security solutions and best practices, user training, and well designed incident response procedures for information backup and applying software patches, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get rested after we got past the first week. Everyone did an amazing job, and if any of your guys is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Lower Manhattan
For ransomware recovery consulting in the Lower Manhattan metro area, phone Progent at 800-462-8800 or go to Contact Progent.