Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of crypto-ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still cause destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, plus more unnamed viruses, not only encrypt online information but also infiltrate many accessible system restores and backups. Information replicated to cloud environments can also be corrupted. In a poorly designed system, this can make any restore operations useless and basically knocks the entire system back to square one.
Getting back applications and data after a ransomware event becomes a sprint against the clock as the victim fights to stop lateral movement and eradicate the ransomware and to restore mission-critical activity. Because crypto-ransomware requires time to replicate, penetrations are usually sprung on weekends, when penetrations tend to take more time to uncover. This compounds the difficulty of promptly marshalling and coordinating a knowledgeable response team.
Progent makes available an assortment of solutions for securing Augusta-Richmond County businesses from ransomware penetrations. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with artificial intelligence technology to quickly identify and suppress zero-day cyber attacks. Progent also offers the assistance of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a compromised network as urgently as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed keys to decipher any or all of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to setup from scratch the key parts of your Information Technology environment. Without the availability of full data backups, this calls for a wide complement of skills, top notch project management, and the willingness to work non-stop until the job is finished.
For twenty years, Progent has provided certified expert IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise gives Progent the capability to efficiently identify necessary systems and integrate the surviving pieces of your network system following a crypto-ransomware penetration and rebuild them into a functioning network.
Progent's recovery team of experts has top notch project management systems to coordinate the complex restoration process. Progent knows the importance of working quickly and together with a client's management and Information Technology team members to assign priority to tasks and to get essential systems back on-line as soon as humanly possible.
Customer Story: A Successful Ransomware Virus Response
A small business escalated to Progent after their company was brought down by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, suspected of adopting strategies leaked from Americaís NSA organization. Ryuk attacks specific companies with little tolerance for disruption and is one of the most profitable examples of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk attack had shut down all company operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but ultimately reached out to Progent.
"I canít thank you enough in regards to the care Progent provided us during the most stressful time of (our) companyís life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. That you could get our messaging and critical servers back online in less than a week was something I thought impossible. Each expert I worked with or e-mailed at Progent was urgently focused on getting our company operational and was working all day and night on our behalf."
Progent worked together with the customer to quickly identify and assign priority to the most important areas that needed to be restored in order to restart business operations:
To get going, Progent adhered to Anti-virus event response best practices by isolating and clearing up compromised systems. Progent then began the process of bringing back online Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the customerís MRP applications utilized Microsoft SQL Server, which depends on Windows AD for security authorization to the information.
- Active Directory (AD)
- Electronic Messaging
In less than 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on mission critical systems. All Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Offline Data Files) on team workstations and laptops in order to recover email messages. A not too old off-line backup of the client's manufacturing systems made it possible to recover these essential applications back online for users. Although significant work needed to be completed to recover totally from the Ryuk attack, the most important services were recovered quickly:
"For the most part, the production line operation survived unscathed and we delivered all customer sales."
Throughout the following month important milestones in the recovery project were made through tight collaboration between Progent team members and the client:
- Internal web sites were restored without losing any information.
- The MailStore Server containing more than 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely restored.
- A new Palo Alto Networks 850 firewall was brought online.
- 90% of the desktops and laptops were operational.
"A lot of what occurred in the early hours is mostly a blur for me, but I will not forget the commitment each and every one of you put in to help get our company back. Iíve utilized Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This event was a testament to your capabilities."
A possible business catastrophe was avoided with hard-working experts, a broad range of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack detailed here could have been identified and stopped with modern cyber security technology and best practices, user education, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get rested after we made it through the first week. Everyone did an fabulous effort, and if anyone is in the Chicago area, dinner is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist