Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that poses an enterprise-level danger for organizations vulnerable to an assault. Different versions of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still inflict harm. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as daily as yet unnamed malware, not only do encryption of on-line data files but also infiltrate all available system protection. Information synched to cloud environments can also be corrupted. In a vulnerable system, it can make any restoration useless and effectively sets the entire system back to square one.
Restoring programs and information following a ransomware intrusion becomes a race against the clock as the targeted business fights to stop lateral movement and clear the ransomware and to restore business-critical operations. Since ransomware requires time to move laterally, penetrations are often launched at night, when penetrations are likely to take more time to discover. This multiplies the difficulty of promptly mobilizing and organizing a qualified response team.
Progent has an assortment of services for protecting Birmingham businesses from crypto-ransomware attacks. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat defense to discover and disable day-zero modern malware assaults. Progent also offers the services of experienced ransomware recovery consultants with the track record and perseverance to restore a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the keys to decipher all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The alternative is to re-install the vital elements of your IT environment. Without the availability of essential system backups, this calls for a broad complement of skills, top notch project management, and the ability to work continuously until the job is over.
For twenty years, Progent has provided professional IT services for businesses throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise gives Progent the capability to quickly ascertain critical systems and re-organize the remaining parts of your computer network system after a ransomware penetration and assemble them into an operational system.
Progent's recovery team deploys best of breed project management applications to coordinate the sophisticated restoration process. Progent understands the importance of acting rapidly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to put essential systems back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Penetration Recovery
A business sought out Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting technology leaked from the U.S. NSA organization. Ryuk goes after specific companies with little or no room for disruption and is among the most lucrative versions of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago and has about 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. Most of the client's system backups had been online at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately reached out to Progent.
"I can't thank you enough about the expertise Progent provided us during the most fearful period of (our) businesses life. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. The fact that you were able to get our messaging and important servers back quicker than a week was amazing. Every single person I interacted with or texted at Progent was urgently focused on getting our system up and was working non-stop to bail us out."
Progent worked with the customer to rapidly determine and prioritize the mission critical applications that needed to be addressed in order to continue departmental functions:
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by isolating and disinfecting systems. Progent then started the work of recovering Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's financials and MRP system used Microsoft SQL, which depends on Active Directory services for security authorization to the data.
- Active Directory
- Exchange Server
In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery of the most important servers. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find local OST files (Outlook Offline Folder Files) on various PCs and laptops in order to recover email information. A not too old offline backup of the client's financials/ERP software made it possible to return these vital programs back online. Although significant work still had to be done to recover totally from the Ryuk damage, essential services were restored quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer orders."
During the next month key milestones in the restoration project were made through close collaboration between Progent engineers and the client:
- In-house web applications were restored without losing any data.
- The MailStore Server exceeding four million archived messages was spun up and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100 percent restored.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Ninety percent of the user PCs were back into operation.
"So much of what transpired during the initial response is nearly entirely a blur for me, but our team will not soon forget the countless hours all of you accomplished to help get our business back. I've been working with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This event was a life saver."
A likely business disaster was avoided by results-oriented experts, a broad range of technical expertise, and tight collaboration. Although in post mortem the ransomware incident detailed here would have been blocked with up-to-date security technology solutions and recognized best practices, user education, and appropriate security procedures for backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for allowing me to get some sleep after we got through the initial push. Everyone did an incredible job, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Birmingham
For ransomware recovery expertise in the Birmingham area, phone Progent at 800-462-8800 or go to Contact Progent.