Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyberplague that poses an existential threat for businesses of all sizes vulnerable to an assault. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus additional unnamed malware, not only do encryption of online data files but also infiltrate all available system protection mechanisms. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, this can make any restoration useless and basically sets the network back to square one.
Recovering applications and information after a crypto-ransomware event becomes a sprint against time as the victim tries its best to stop the spread and cleanup the ransomware and to restore business-critical activity. Due to the fact that ransomware takes time to spread, attacks are usually sprung during weekends and nights, when successful penetrations in many cases take longer to detect. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.
Progent makes available a range of support services for securing Portland businesses from ransomware events. These include team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security gateways with artificial intelligence technology to automatically identify and quarantine new cyber threats. Progent also offers the assistance of veteran ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the mission-critical elements of your Information Technology environment. Absent access to full data backups, this requires a wide range of skill sets, well-coordinated project management, and the capability to work continuously until the recovery project is finished.
For two decades, Progent has provided certified expert IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the ability to quickly identify necessary systems and integrate the remaining pieces of your Information Technology system following a crypto-ransomware attack and rebuild them into a functioning system.
Progent's security team of experts deploys best of breed project management tools to coordinate the complicated recovery process. Progent knows the urgency of acting quickly and in unison with a customerís management and IT team members to assign priority to tasks and to put key services back on line as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Recovery
A customer sought out Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state cybercriminals, suspected of using techniques leaked from Americaís National Security Agency. Ryuk seeks specific businesses with limited tolerance for operational disruption and is one of the most profitable incarnations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end brought in Progent.
"I canít speak enough in regards to the help Progent gave us throughout the most stressful time of (our) businesses existence. We most likely would have paid the hackers behind this attack except for the confidence the Progent experts provided us. The fact that you were able to get our messaging and key servers back on-line in less than 1 week was incredible. Each expert I spoke to or communicated with at Progent was amazingly focused on getting us working again and was working all day and night to bail us out."
Progent worked together with the customer to quickly get our arms around and prioritize the critical services that needed to be restored in order to resume company functions:
To begin, Progent followed ransomware penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then began the steps of rebuilding Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customerís accounting and MRP system leveraged Microsoft SQL Server, which depends on Windows AD for security authorization to the data.
- Windows Active Directory
Within 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery of needed applications. All Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team workstations and laptops to recover mail information. A not too old off-line backup of the businesses manufacturing software made it possible to return these vital services back servicing users. Although significant work was left to recover fully from the Ryuk event, critical systems were returned to operations rapidly:
"For the most part, the production line operation never missed a beat and we made all customer sales."
Throughout the next month critical milestones in the restoration project were completed through close collaboration between Progent engineers and the client:
- Internal web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user desktops and notebooks were functioning as before the incident.
"Much of what was accomplished in the early hours is mostly a fog for me, but I will not forget the countless hours each and every one of you put in to give us our company back. I have been working with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a stunning achievement."
A likely company-ending disaster was averted through the efforts of hard-working professionals, a broad range of technical expertise, and tight teamwork. Although in retrospect the ransomware virus attack described here would have been shut down with up-to-date security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for making it so I could get rested after we made it over the most critical parts. Everyone did an incredible effort, and if anyone is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Portland
For ransomware cleanup consulting services in the Portland area, call Progent at 800-462-8800 or go to Contact Progent.