Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an existential danger for businesses unprepared for an assault. Versions of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus additional as yet unnamed newcomers, not only encrypt online data but also infiltrate most configured system restores and backups. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make automatic restore operations hopeless and effectively knocks the network back to zero.
Retrieving applications and information following a ransomware event becomes a race against the clock as the targeted business tries its best to contain and cleanup the virus and to restore business-critical activity. Since crypto-ransomware requires time to spread, attacks are frequently launched on weekends and holidays, when successful attacks in many cases take longer to notice. This compounds the difficulty of rapidly assembling and organizing a knowledgeable mitigation team.
Progent provides an assortment of services for securing Norfolk businesses from crypto-ransomware events. Among these are team education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat protection to detect and suppress day-zero malware assaults. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decrypt any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The other path is to piece back together the key components of your Information Technology environment. Absent the availability of essential information backups, this requires a wide range of skill sets, professional team management, and the capability to work continuously until the recovery project is completed.
For two decades, Progent has offered professional Information Technology services for businesses across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience affords Progent the ability to rapidly ascertain necessary systems and integrate the surviving parts of your computer network environment after a crypto-ransomware event and rebuild them into a functioning system.
Progent's recovery team uses state-of-the-art project management systems to coordinate the complex restoration process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT resources to prioritize tasks and to put essential services back on-line as fast as humanly possible.
Case Study: A Successful Ransomware Penetration Recovery
A client contacted Progent after their organization was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state hackers, possibly using technology exposed from America's NSA organization. Ryuk goes after specific companies with little or no ability to sustain operational disruption and is among the most profitable examples of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago and has around 500 staff members. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I can't speak enough in regards to the care Progent provided us throughout the most stressful period of (our) businesses life. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent experts provided us. That you could get our messaging and important applications back on-line in less than 1 week was something I thought impossible. Every single expert I got help from or messaged at Progent was absolutely committed on getting us operational and was working at all hours to bail us out."
Progent worked with the client to quickly get our arms around and assign priority to the essential applications that had to be addressed in order to restart business operations:
To start, Progent followed ransomware incident response best practices by halting the spread and disinfecting systems. Progent then started the steps of rebuilding Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the client's financials and MRP system utilized Microsoft SQL, which requires Active Directory services for authentication to the databases.
- Windows Active Directory
- Electronic Messaging
- MRP System
Within two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then completed rebuilding and hard drive recovery on essential servers. All Microsoft Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Offline Folder Files) on user PCs and laptops in order to recover mail information. A not too old offline backup of the client's accounting/ERP software made them able to recover these vital programs back on-line. Although a lot of work was left to recover fully from the Ryuk damage, the most important services were returned to operations rapidly:
"For the most part, the assembly line operation showed little impact and we produced all customer deliverables."
Throughout the next month important milestones in the recovery process were achieved through tight collaboration between Progent engineers and the customer:
- Internal web sites were brought back up without losing any data.
- The MailStore Server containing more than 4 million historical messages was restored to operations and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory modules were completely recovered.
- A new Palo Alto Networks 850 security appliance was deployed.
- Ninety percent of the user desktops and notebooks were operational.
"Much of what occurred in the initial days is nearly entirely a blur for me, but my team will not forget the urgency each and every one of you put in to give us our business back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has shined and delivered as promised. This situation was a stunning achievement."
A possible business catastrophe was avoided through the efforts of results-oriented experts, a wide range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident described here would have been shut down with current security technology solutions and NIST Cybersecurity Framework best practices, team education, and well thought out incident response procedures for information backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for making it so I could get some sleep after we got over the first week. Everyone did an impressive effort, and if any of your team is visiting the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Norfolk
For ransomware recovery services in the Norfolk area, call Progent at 800-462-8800 or go to Contact Progent.