Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a modern cyberplague that represents an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Versions of ransomware like the Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause harm. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as frequent as yet unnamed viruses, not only encrypt online data but also infiltrate any accessible system protection mechanisms. Files replicated to the cloud can also be rendered useless. In a poorly designed data protection solution, it can render automatic recovery useless and basically sets the entire system back to zero.
Getting back services and data following a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to contain the damage and remove the ransomware and to resume business-critical operations. Since ransomware needs time to move laterally, assaults are frequently launched on weekends, when attacks in many cases take longer to recognize. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.
Progent offers an assortment of support services for securing Fort Lauderdale organizations from ransomware penetrations. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence capabilities to rapidly discover and suppress day-zero threats. Progent in addition provides the assistance of seasoned crypto-ransomware recovery professionals with the track record and commitment to rebuild a breached system as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will provide the keys to decipher any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The alternative is to re-install the key parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a broad complement of skill sets, well-coordinated team management, and the ability to work non-stop until the job is complete.
For two decades, Progent has offered certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise affords Progent the capability to knowledgably ascertain necessary systems and integrate the surviving pieces of your computer network environment after a ransomware attack and assemble them into a functioning system.
Progent's ransomware team of experts uses best of breed project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working rapidly and together with a client's management and Information Technology staff to prioritize tasks and to put essential services back on-line as soon as humanly possible.
Customer Story: A Successful Ransomware Incident Restoration
A client hired Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state hackers, suspected of adopting algorithms leaked from Americaís NSA organization. Ryuk targets specific companies with limited ability to sustain disruption and is one of the most profitable instances of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has around 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for the best, but in the end reached out to Progent.
"I canít tell you enough in regards to the support Progent gave us throughout the most stressful period of (our) companyís survival. We most likely would have paid the criminal gangs except for the confidence the Progent group gave us. That you could get our e-mail system and important servers back into operation faster than 1 week was beyond my wildest dreams. Every single expert I spoke to or texted at Progent was urgently focused on getting us restored and was working breakneck pace to bail us out."
Progent worked together with the client to quickly assess and prioritize the essential services that had to be restored in order to continue company functions:
To get going, Progent followed ransomware event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the steps of rebuilding Microsoft AD, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's MRP system used Microsoft SQL, which depends on Windows AD for security authorization to the information.
- Active Directory
- Microsoft Exchange Server
- MRP System
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery on key servers. All Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Off-Line Data Files) on user PCs in order to recover mail messages. A not too old off-line backup of the customerís accounting systems made them able to restore these vital services back available to users. Although significant work still had to be done to recover completely from the Ryuk damage, essential systems were returned to operations rapidly:
"For the most part, the production line operation survived unscathed and we made all customer deliverables."
Over the next month key milestones in the recovery project were completed in close cooperation between Progent engineers and the client:
- Internal web sites were returned to operation with no loss of data.
- The MailStore Exchange Server with over four million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100% restored.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the desktops and laptops were operational.
"So much of what was accomplished that first week is mostly a blur for me, but we will not soon forget the urgency each of your team put in to give us our company back. I have utilized Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered. This time was a testament to your capabilities."
A possible company-ending disaster was averted due to dedicated professionals, a wide array of technical expertise, and tight teamwork. Although in retrospect the ransomware penetration described here should have been prevented with modern security technology and ISO/IEC 27001 best practices, team training, and well thought out security procedures for data backup and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thanks very much for making it so I could get some sleep after we made it through the initial fire. All of you did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Fort Lauderdale
For ransomware cleanup consulting in the Fort Lauderdale area, call Progent at 800-462-8800 or go to Contact Progent.