Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses unprepared for an assault. Different versions of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with frequent as yet unnamed newcomers, not only encrypt online data but also infiltrate all available system restores and backups. Files replicated to the cloud can also be encrypted. In a poorly designed environment, it can make any recovery useless and basically knocks the datacenter back to zero.
Restoring services and data following a crypto-ransomware event becomes a race against the clock as the targeted organization tries its best to stop the spread and clear the crypto-ransomware and to resume mission-critical operations. Since ransomware requires time to spread, attacks are frequently sprung during nights and weekends, when attacks typically take more time to detect. This multiplies the difficulty of promptly mobilizing and coordinating a qualified response team.
Progent provides a range of solutions for securing Fresno organizations from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence technology to quickly detect and disable day-zero cyber threats. Progent in addition provides the services of veteran ransomware recovery engineers with the skills and perseverance to rebuild a compromised system as rapidly as possible.
Progent's Ransomware Restoration Services
Soon after a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the keys to unencrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The alternative is to piece back together the key parts of your IT environment. Absent the availability of complete data backups, this calls for a wide range of IT skills, top notch project management, and the willingness to work continuously until the recovery project is complete.
For two decades, Progent has offered expert Information Technology services for businesses across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise affords Progent the capability to efficiently determine critical systems and consolidate the remaining pieces of your IT environment following a ransomware penetration and configure them into an operational system.
Progent's security team of experts utilizes best of breed project management systems to coordinate the sophisticated restoration process. Progent knows the importance of working quickly and in concert with a customerís management and IT team members to assign priority to tasks and to get key applications back online as soon as possible.
Client Case Study: A Successful Ransomware Virus Restoration
A client sought out Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored criminal gangs, possibly adopting approaches exposed from the United States National Security Agency. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most profitable examples of crypto-ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately utilized Progent.
"I canít tell you enough about the support Progent provided us throughout the most fearful period of (our) businesses survival. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and key servers back quicker than a week was beyond my wildest dreams. Each expert I talked with or e-mailed at Progent was hell bent on getting my company operational and was working all day and night on our behalf."
Progent worked hand in hand the customer to rapidly assess and assign priority to the mission critical applications that had to be restored in order to restart company operations:
To get going, Progent followed AV/Malware Processes penetration response industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the process of recovering Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Active Directory, and the businessesí financials and MRP applications leveraged Microsoft SQL, which requires Active Directory services for authentication to the information.
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery of critical applications. All Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Offline Folder Files) on various workstations in order to recover email information. A not too old offline backup of the businesses accounting/ERP software made them able to return these essential applications back online for users. Although major work still had to be done to recover completely from the Ryuk event, core services were recovered quickly:
"For the most part, the assembly line operation was never shut down and we delivered all customer deliverables."
During the next few weeks important milestones in the recovery process were completed in close cooperation between Progent consultants and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Server exceeding four million historical messages was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory modules were fully operational.
- A new Palo Alto 850 firewall was deployed.
- 90% of the desktops and laptops were functioning as before the incident.
"A lot of what transpired in the initial days is mostly a haze for me, but my management will not soon forget the care all of you accomplished to give us our company back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This time was a stunning achievement."
A likely business extinction catastrophe was evaded due to top-tier experts, a broad array of technical expertise, and tight collaboration. Although in post mortem the crypto-ransomware attack detailed here would have been disabled with modern cyber security systems and security best practices, team education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get some sleep after we got through the first week. Everyone did an amazing effort, and if anyone is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist