Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that represents an existential threat for businesses vulnerable to an assault. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and continue to cause destruction. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with daily unnamed newcomers, not only encrypt online data but also infiltrate most available system backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can render any recovery impossible and effectively sets the entire system back to zero.
Getting back services and data following a crypto-ransomware attack becomes a race against the clock as the targeted business struggles to stop the spread and cleanup the virus and to restore mission-critical operations. Since crypto-ransomware needs time to replicate, penetrations are usually launched at night, when attacks are likely to take more time to recognize. This compounds the difficulty of rapidly mobilizing and organizing a qualified response team.
Progent has a range of services for protecting Birmingham businesses from ransomware penetrations. These include team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat protection to detect and disable zero-day modern malware assaults. Progent in addition provides the assistance of expert ransomware recovery engineers with the skills and commitment to restore a breached network as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Following a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the codes to decipher any of your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The alternative is to piece back together the mission-critical elements of your IT environment. Absent access to essential system backups, this requires a broad range of skills, top notch team management, and the willingness to work continuously until the task is completed.
For decades, Progent has provided professional IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience provides Progent the skills to efficiently ascertain necessary systems and integrate the surviving parts of your computer network system following a crypto-ransomware event and configure them into a functioning network.
Progent's security team utilizes powerful project management applications to coordinate the complex recovery process. Progent appreciates the importance of working rapidly and together with a customer's management and IT staff to assign priority to tasks and to put the most important services back online as soon as possible.
Business Case Study: A Successful Crypto-Ransomware Incident Recovery
A client escalated to Progent after their company was crashed by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, suspected of using technology leaked from the United States NSA organization. Ryuk attacks specific organizations with limited room for disruption and is one of the most profitable incarnations of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot thank you enough in regards to the care Progent gave us during the most critical time of (our) company's life. We would have paid the criminal gangs if it wasn't for the confidence the Progent experts gave us. That you could get our e-mail and production applications back on-line sooner than 1 week was amazing. Every single expert I spoke to or messaged at Progent was absolutely committed on getting us restored and was working breakneck pace to bail us out."
Progent worked hand in hand the customer to rapidly assess and prioritize the critical elements that had to be restored in order to continue business operations:
To start, Progent followed Anti-virus incident mitigation best practices by halting the spread and disinfecting systems. Progent then initiated the task of recovering Active Directory, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the client's financials and MRP applications utilized SQL Server, which requires Windows AD for authentication to the database.
- Active Directory (AD)
- Electronic Mail
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery on key applications. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Folder Files) on staff PCs and laptops in order to recover email information. A recent offline backup of the client's manufacturing systems made it possible to restore these required applications back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, the most important systems were returned to operations quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer orders."
Throughout the following month critical milestones in the restoration process were accomplished in tight cooperation between Progent team members and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Exchange Server with over 4 million historical emails was spun up and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control capabilities were completely operational.
- A new Palo Alto 850 firewall was deployed.
- 90% of the user desktops were functioning as before the incident.
"A lot of what went on that first week is mostly a haze for me, but I will not soon forget the commitment each of the team accomplished to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This event was the most impressive ever."
A likely enterprise-killing disaster was dodged through the efforts of top-tier professionals, a wide range of IT skills, and close collaboration. Although in post mortem the crypto-ransomware attack detailed here could have been shut down with current security systems and recognized best practices, user and IT administrator training, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got over the most critical parts. Everyone did an amazing effort, and if any of your guys is around the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Birmingham
For ransomware recovery consulting services in the Birmingham area, call Progent at 800-462-8800 or see Contact Progent.