Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that poses an extinction-level threat for organizations vulnerable to an attack. Versions of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for years and still cause damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as frequent unnamed newcomers, not only encrypt on-line information but also infiltrate most available system restores and backups. Information synched to cloud environments can also be encrypted. In a poorly architected environment, it can make automatic restoration impossible and basically knocks the datacenter back to zero.
Retrieving programs and data after a crypto-ransomware intrusion becomes a race against time as the targeted organization fights to contain and cleanup the ransomware and to resume enterprise-critical operations. Because ransomware takes time to spread, attacks are frequently launched at night, when penetrations may take longer to identify. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable response team.
Progent has a range of support services for securing Cincinnati enterprises from ransomware penetrations. These include team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat protection to discover and suppress zero-day modern malware assaults. Progent also provides the services of experienced ransomware recovery professionals with the track record and perseverance to reconstruct a breached network as rapidly as possible.
Progent's Ransomware Restoration Help
After a crypto-ransomware attack, sending the ransom in cryptocurrency does not guarantee that distant criminals will return the needed codes to decrypt any of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the essential parts of your IT environment. Without the availability of full system backups, this requires a broad complement of skills, well-coordinated project management, and the ability to work continuously until the recovery project is done.
For two decades, Progent has provided professional IT services for companies across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience provides Progent the capability to rapidly ascertain necessary systems and re-organize the remaining pieces of your IT system after a ransomware penetration and rebuild them into an operational network.
Progent's recovery team has best of breed project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and IT resources to assign priority to tasks and to get the most important systems back on-line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business hired Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk seeks specific companies with limited ability to sustain operational disruption and is one of the most profitable iterations of ransomware malware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area with around 500 employees. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately called Progent.
"I can't say enough in regards to the care Progent gave us during the most critical time of (our) businesses existence. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent group gave us. That you were able to get our messaging and critical servers back into operation faster than 1 week was incredible. Every single person I spoke to or texted at Progent was urgently focused on getting us operational and was working 24/7 on our behalf."
Progent worked with the client to rapidly understand and assign priority to the essential areas that had to be recovered in order to resume business operations:
To start, Progent followed ransomware penetration response best practices by isolating and clearing infected systems. Progent then began the steps of bringing back online Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not function without AD, and the client's accounting and MRP applications utilized Microsoft SQL, which needs Active Directory services for access to the databases.
- Active Directory (AD)
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of critical systems. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Offline Data Files) on user workstations and laptops to recover mail data. A not too old offline backup of the client's financials/ERP software made them able to restore these vital applications back servicing users. Although a large amount of work remained to recover fully from the Ryuk event, critical services were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we delivered all customer sales."
Throughout the next couple of weeks key milestones in the restoration project were accomplished through tight collaboration between Progent engineers and the customer:
- Internal web sites were returned to operation without losing any data.
- The MailStore Exchange Server containing more than 4 million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory modules were fully functional.
- A new Palo Alto 850 security appliance was installed and configured.
- Ninety percent of the user desktops and notebooks were back into operation.
"So much of what happened in the initial days is mostly a blur for me, but my team will not soon forget the countless hours each and every one of the team put in to help get our business back. I've been working together with Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."
A probable business disaster was avoided due to top-tier experts, a broad array of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus incident described here could have been blocked with advanced cyber security solutions and NIST Cybersecurity Framework best practices, user training, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for making it so I could get some sleep after we made it past the initial push. Everyone did an incredible job, and if any of your guys is in the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Cincinnati
For ransomware system recovery consulting services in the Cincinnati area, call Progent at 800-462-8800 or go to Contact Progent.