Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses of all sizes vulnerable to an attack. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still inflict havoc. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus daily as yet unnamed viruses, not only do encryption of on-line critical data but also infiltrate all available system protection mechanisms. Files synched to the cloud can also be encrypted. In a vulnerable system, it can make automatic restoration useless and effectively sets the network back to square one.
Recovering programs and data after a ransomware intrusion becomes a race against time as the targeted organization struggles to stop the spread and clear the crypto-ransomware and to restore enterprise-critical activity. Since ransomware takes time to spread, attacks are usually sprung on weekends and holidays, when penetrations in many cases take more time to uncover. This multiplies the difficulty of rapidly assembling and coordinating a qualified mitigation team.
Progent offers an assortment of solutions for protecting Naples organizations from ransomware attacks. These include team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based threat defense to discover and quarantine zero-day modern malware attacks. Progent also can provide the assistance of veteran crypto-ransomware recovery professionals with the skills and perseverance to rebuild a breached network as urgently as possible.
Progent's Ransomware Restoration Services
After a ransomware attack, sending the ransom in cryptocurrency does not guarantee that distant criminals will provide the needed keys to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The alternative is to re-install the mission-critical parts of your Information Technology environment. Without access to full information backups, this requires a wide range of IT skills, top notch team management, and the ability to work continuously until the job is over.
For decades, Progent has offered expert IT services for companies across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently determine important systems and organize the remaining parts of your network system after a ransomware event and rebuild them into a functioning network.
Progent's recovery team deploys state-of-the-art project management tools to coordinate the complex recovery process. Progent understands the importance of working quickly and in concert with a customer's management and IT team members to prioritize tasks and to get the most important services back online as soon as humanly possible.
Customer Case Study: A Successful Ransomware Incident Restoration
A small business sought out Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state sponsored hackers, possibly using approaches exposed from America's National Security Agency. Ryuk targets specific businesses with little room for operational disruption and is one of the most lucrative versions of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for the best, but in the end brought in Progent.
"I cannot thank you enough in regards to the help Progent gave us throughout the most fearful period of (our) company's existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent team provided us. The fact that you could get our e-mail system and critical applications back on-line faster than seven days was incredible. Every single expert I interacted with or texted at Progent was hell bent on getting our company operational and was working all day and night to bail us out."
Progent worked with the client to quickly assess and prioritize the mission critical areas that needed to be restored to make it possible to resume company operations:
To begin, Progent adhered to Anti-virus incident mitigation best practices by halting lateral movement and disinfecting systems. Progent then initiated the task of bringing back online Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the customer's financials and MRP software leveraged Microsoft SQL, which requires Windows AD for access to the databases.
- Active Directory (AD)
- Electronic Messaging
In less than two days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and hard drive recovery of essential servers. All Exchange ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Offline Folder Files) on staff desktop computers in order to recover email messages. A recent off-line backup of the client's financials/ERP systems made it possible to restore these vital services back on-line. Although significant work was left to recover completely from the Ryuk virus, core services were restored rapidly:
"For the most part, the production operation did not miss a beat and we did not miss any customer deliverables."
During the following couple of weeks critical milestones in the restoration project were achieved in tight collaboration between Progent engineers and the client:
- Self-hosted web applications were brought back up without losing any information.
- The MailStore Server with over four million historical emails was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% restored.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the desktops and laptops were being used by staff.
"A huge amount of what was accomplished in the initial days is mostly a fog for me, but my team will not forget the commitment each of you put in to help get our business back. I have trusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This time was a life saver."
A probable business extinction disaster was avoided by results-oriented professionals, a wide range of technical expertise, and tight collaboration. Although in retrospect the ransomware incident described here could have been blocked with advanced security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for data protection and applying software patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I'm grateful for allowing me to get rested after we got past the initial push. All of you did an amazing job, and if anyone that helped is around the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Naples
For ransomware system recovery services in the Naples area, phone Progent at 800-462-8800 or go to Contact Progent.