Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyberplague that presents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus additional unnamed newcomers, not only do encryption of on-line data but also infect any accessible system backups. Information replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can render automated recovery hopeless and effectively sets the network back to square one.
Getting back online applications and information following a ransomware event becomes a race against the clock as the targeted organization fights to stop lateral movement and eradicate the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware requires time to replicate, penetrations are usually sprung at night, when attacks typically take longer to identify. This multiplies the difficulty of quickly assembling and organizing a capable mitigation team.
Progent makes available an assortment of help services for protecting San Mateo businesses from ransomware penetrations. Among these are team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security appliances with AI technology to quickly detect and extinguish new cyber threats. Progent in addition can provide the services of expert ransomware recovery consultants with the track record and commitment to restore a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the keys to decrypt all your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to setup from scratch the essential parts of your IT environment. Absent the availability of essential system backups, this calls for a wide range of skills, professional project management, and the ability to work continuously until the recovery project is complete.
For twenty years, Progent has offered certified expert Information Technology services for businesses across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience provides Progent the ability to knowledgably determine important systems and re-organize the surviving components of your IT environment after a crypto-ransomware event and rebuild them into an operational network.
Progent's security team of experts uses state-of-the-art project management applications to orchestrate the complex recovery process. Progent knows the urgency of working rapidly and together with a client's management and Information Technology resources to prioritize tasks and to get key applications back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Attack Recovery
A customer contacted Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state sponsored hackers, possibly using techniques leaked from the United States NSA organization. Ryuk goes after specific organizations with little or no tolerance for disruption and is one of the most lucrative incarnations of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area with around 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the beginning of the attack and were destroyed. The client was evaluating paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but ultimately reached out to Progent.
"I cannot tell you enough about the care Progent gave us during the most critical time of (our) businesses survival. We would have paid the Hackers except for the confidence the Progent team gave us. The fact that you could get our e-mail system and key applications back into operation sooner than 1 week was something I thought impossible. Each expert I worked with or communicated with at Progent was urgently focused on getting us working again and was working 24 by 7 on our behalf."
Progent worked with the client to quickly assess and prioritize the key services that needed to be addressed to make it possible to continue business functions:
To get going, Progent adhered to ransomware incident response industry best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the work of bringing back online Microsoft AD, the core of enterprise networks built upon Microsoft technology. Exchange email will not work without Active Directory, and the customerís accounting and MRP system used Microsoft SQL Server, which requires Windows AD for authentication to the database.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
Within two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery of essential systems. All Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Email Offline Data Files) on user workstations and laptops to recover email data. A recent offline backup of the client's accounting/MRP systems made it possible to recover these vital services back available to users. Although significant work still had to be done to recover fully from the Ryuk event, the most important services were returned to operations quickly:
"For the most part, the manufacturing operation never missed a beat and we did not miss any customer orders."
Over the next couple of weeks critical milestones in the recovery project were accomplished in close collaboration between Progent consultants and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully functional.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the user PCs were fully operational.
"A huge amount of what occurred those first few days is mostly a haze for me, but I will not forget the commitment each of you accomplished to help get our business back. Iíve utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."
A possible business extinction disaster was dodged by dedicated experts, a broad array of subject matter expertise, and close teamwork. Although in post mortem the ransomware virus penetration described here would have been identified and prevented with advanced security systems and security best practices, user and IT administrator education, and appropriate security procedures for data protection and applying software patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get rested after we got past the initial fire. Everyone did an fabulous effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist