Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyberplague that poses an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still inflict havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as more unnamed viruses, not only do encryption of on-line information but also infect most configured system restores and backups. Information synchronized to cloud environments can also be corrupted. In a poorly architected system, this can make automated restoration hopeless and basically sets the network back to square one.
Getting back on-line programs and data after a ransomware outage becomes a sprint against time as the victim struggles to contain and eradicate the virus and to restore business-critical operations. Since ransomware takes time to move laterally, attacks are frequently launched at night, when successful penetrations typically take longer to notice. This multiplies the difficulty of promptly mobilizing and coordinating a qualified response team.
Progent provides a range of support services for securing Fort Lauderdale organizations from crypto-ransomware penetrations. Among these are user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security gateways with machine learning technology to intelligently detect and quarantine new cyber threats. Progent in addition can provide the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to restore a breached system as soon as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the codes to unencrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The fallback is to re-install the critical elements of your IT environment. Without access to complete information backups, this calls for a wide range of skills, top notch project management, and the willingness to work continuously until the job is done.
For decades, Progent has made available certified expert IT services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience provides Progent the capability to knowledgably determine critical systems and integrate the surviving pieces of your IT environment after a ransomware attack and configure them into a functioning system.
Progent's recovery group uses top notch project management tools to coordinate the complicated recovery process. Progent understands the urgency of acting rapidly and in unison with a customerís management and Information Technology staff to prioritize tasks and to put critical applications back on line as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A small business sought out Progent after their company was penetrated by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored cybercriminals, possibly using algorithms exposed from the United States National Security Agency. Ryuk seeks specific organizations with little room for disruption and is among the most lucrative instances of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago with around 500 staff members. The Ryuk event had frozen all business operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.
"I canít say enough about the support Progent provided us throughout the most critical time of (our) businesses survival. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our messaging and critical applications back on-line quicker than five days was something I thought impossible. Every single expert I got help from or e-mailed at Progent was absolutely committed on getting our system up and was working breakneck pace on our behalf."
Progent worked together with the customer to rapidly identify and assign priority to the essential services that had to be restored in order to continue business operations:
To get going, Progent followed AV/Malware Processes incident response industry best practices by stopping the spread and clearing infected systems. Progent then started the steps of restoring Microsoft AD, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the client's accounting and MRP software leveraged SQL Server, which needs Windows AD for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery on needed systems. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops to recover email data. A recent offline backup of the businesses accounting/MRP systems made them able to return these vital programs back online for users. Although a lot of work needed to be completed to recover totally from the Ryuk damage, core services were recovered rapidly:
"For the most part, the production operation was never shut down and we did not miss any customer orders."
During the following few weeks critical milestones in the restoration project were achieved through close collaboration between Progent engineers and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Server exceeding 4 million historical emails was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully functional.
- A new Palo Alto 850 firewall was brought on-line.
- Most of the desktops and laptops were back into operation.
"A lot of what transpired in the initial days is mostly a blur for me, but my team will not forget the dedication all of the team accomplished to give us our company back. Iíve trusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This situation was a stunning achievement."
A likely business disaster was dodged by results-oriented professionals, a wide array of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus attack detailed here should have been identified and disabled with up-to-date cyber security technology and ISO/IEC 27001 best practices, user education, and well designed incident response procedures for information protection and applying software patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of professionals has proven experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get some sleep after we got past the first week. All of you did an impressive job, and if any of your guys is around the Chicago area, a great meal is my treat!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist