Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for organizations unprepared for an attack. Versions of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to inflict havoc. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, as well as more as yet unnamed malware, not only do encryption of online critical data but also infiltrate many configured system restores and backups. Files synchronized to cloud environments can also be rendered useless. In a poorly architected data protection solution, it can make automatic recovery useless and basically knocks the entire system back to zero.
Getting back services and information after a crypto-ransomware intrusion becomes a race against the clock as the targeted business struggles to contain and cleanup the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that crypto-ransomware needs time to spread, penetrations are often sprung during weekends and nights, when penetrations may take more time to notice. This compounds the difficulty of quickly marshalling and orchestrating an experienced mitigation team.
Progent provides an assortment of solutions for protecting Birmingham businesses from ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with machine learning capabilities to rapidly detect and quarantine new cyber threats. Progent in addition can provide the assistance of experienced ransomware recovery engineers with the skills and commitment to re-deploy a compromised network as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the codes to unencrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to re-install the key elements of your Information Technology environment. Without the availability of essential information backups, this requires a broad range of IT skills, top notch team management, and the capability to work non-stop until the recovery project is over.
For twenty years, Progent has provided certified expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to rapidly understand critical systems and re-organize the surviving components of your network environment following a ransomware event and assemble them into an operational network.
Progent's ransomware team of experts uses best of breed project management applications to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and together with a client's management and Information Technology resources to prioritize tasks and to put critical services back on line as soon as possible.
Case Study: A Successful Ransomware Attack Restoration
A client contacted Progent after their network was crashed by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state cybercriminals, possibly adopting techniques exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little ability to sustain disruption and is among the most profitable versions of ransomware malware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's information backups had been online at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and wishfully thinking for the best, but in the end brought in Progent.
"I canít speak enough in regards to the support Progent gave us throughout the most stressful period of (our) businesses survival. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts gave us. That you were able to get our e-mail and key applications back into operation in less than five days was incredible. Every single person I interacted with or messaged at Progent was urgently focused on getting our company operational and was working 24/7 to bail us out."
Progent worked hand in hand the client to rapidly identify and prioritize the key systems that had to be recovered in order to resume departmental functions:
To start, Progent adhered to ransomware event mitigation best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of restoring Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which requires Active Directory for authentication to the data.
- Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery on needed systems. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Email Offline Data Files) on user PCs to recover mail information. A not too old off-line backup of the businesses accounting/MRP systems made it possible to restore these vital applications back servicing users. Although a large amount of work remained to recover fully from the Ryuk virus, critical services were returned to operations rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer orders."
During the following couple of weeks important milestones in the recovery process were accomplished through close cooperation between Progent engineers and the client:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was deployed.
- Ninety percent of the user workstations were being used by staff.
"A huge amount of what transpired during the initial response is mostly a haze for me, but I will not forget the dedication all of you put in to help get our business back. I have entrusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This event was a life saver."
A potential enterprise-killing disaster was dodged through the efforts of top-tier professionals, a wide spectrum of IT skills, and tight teamwork. Although in post mortem the ransomware incident detailed here would have been identified and stopped with advanced security technology solutions and best practices, staff education, and appropriate security procedures for information backup and applying software patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get some sleep after we got through the most critical parts. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist