Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses unprepared for an assault. Versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict havoc. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus additional unnamed newcomers, not only encrypt on-line critical data but also infiltrate many available system backups. Files synched to the cloud can also be encrypted. In a poorly designed environment, it can render automated recovery hopeless and effectively sets the datacenter back to zero.
Getting back online programs and information following a crypto-ransomware event becomes a race against time as the targeted organization struggles to contain and cleanup the ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are often sprung during nights and weekends, when successful penetrations in many cases take longer to notice. This multiplies the difficulty of rapidly marshalling and organizing a capable response team.
Progent makes available an assortment of help services for protecting Morgan Hill enterprises from ransomware attacks. Among these are team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security appliances with machine learning capabilities to quickly identify and disable zero-day cyber threats. Progent in addition can provide the assistance of veteran crypto-ransomware recovery consultants with the skills and perseverance to restore a compromised environment as urgently as possible.
Progent's Ransomware Restoration Services
After a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed codes to decipher any or all of your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The other path is to setup from scratch the mission-critical elements of your IT environment. Absent the availability of complete data backups, this requires a broad complement of skill sets, professional project management, and the ability to work non-stop until the recovery project is completed.
For twenty years, Progent has made available professional Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify critical systems and re-organize the remaining parts of your IT environment following a ransomware event and assemble them into an operational system.
Progent's recovery group uses state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of acting quickly and in concert with a customerís management and Information Technology resources to prioritize tasks and to get critical services back on line as soon as humanly possible.
Case Study: A Successful Ransomware Intrusion Response
A small business sought out Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little or no room for disruption and is one of the most profitable iterations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom (exceeding $200K) and praying for good luck, but ultimately made the decision to use Progent.
"I canít thank you enough in regards to the help Progent gave us during the most stressful period of (our) companyís survival. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent experts afforded us. The fact that you could get our messaging and critical servers back online sooner than one week was earth shattering. Each expert I worked with or messaged at Progent was totally committed on getting us back on-line and was working 24/7 on our behalf."
Progent worked with the client to rapidly determine and assign priority to the essential areas that had to be addressed to make it possible to continue business operations:
To begin, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the task of bringing back online Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the client's accounting and MRP system leveraged Microsoft SQL, which depends on Active Directory services for security authorization to the information.
- Microsoft Active Directory
- Electronic Messaging
Within 48 hours, Progent was able to restore Active Directory services to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of needed applications. All Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user PCs to recover mail data. A not too old offline backup of the client's manufacturing software made it possible to recover these required applications back online for users. Although a lot of work was left to recover fully from the Ryuk damage, the most important services were recovered rapidly:
"For the most part, the production operation survived unscathed and we delivered all customer deliverables."
Throughout the next month critical milestones in the restoration project were completed through close cooperation between Progent engineers and the client:
- In-house web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million historical messages was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory capabilities were 100% restored.
- A new Palo Alto Networks 850 firewall was deployed.
- Most of the desktop computers were functioning as before the incident.
"So much of what went on that first week is mostly a blur for me, but my team will not soon forget the countless hours all of your team put in to help get our company back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This event was a testament to your capabilities."
A likely business catastrophe was avoided by results-oriented professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here could have been shut down with advanced cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thanks very much for allowing me to get some sleep after we made it past the initial push. Everyone did an amazing job, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist