Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an existential danger for organizations vulnerable to an assault. Different iterations of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as additional unnamed malware, not only encrypt on-line information but also infect many accessible system backups. Information synched to the cloud can also be ransomed. In a poorly architected environment, it can make automatic restore operations impossible and basically knocks the datacenter back to square one.
Restoring services and information after a ransomware intrusion becomes a sprint against time as the targeted organization struggles to stop the spread and clear the crypto-ransomware and to restore enterprise-critical operations. Because ransomware takes time to replicate, assaults are usually launched on weekends, when successful penetrations tend to take longer to discover. This multiplies the difficulty of rapidly marshalling and coordinating an experienced response team.
Progent provides a range of support services for protecting Fort Lauderdale enterprises from ransomware events. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with AI capabilities to automatically identify and extinguish new cyber threats. Progent in addition can provide the services of seasoned ransomware recovery professionals with the skills and commitment to rebuild a breached environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will return the codes to unencrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The alternative is to setup from scratch the critical elements of your IT environment. Without access to essential data backups, this calls for a wide complement of skill sets, well-coordinated project management, and the willingness to work non-stop until the task is complete.
For two decades, Progent has made available expert IT services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise affords Progent the skills to rapidly ascertain necessary systems and re-organize the surviving pieces of your network environment following a ransomware event and assemble them into an operational system.
Progent's security group deploys best of breed project management systems to orchestrate the complex restoration process. Progent understands the importance of working swiftly and in concert with a customerís management and IT resources to assign priority to tasks and to get critical services back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Incident Response
A customer escalated to Progent after their organization was attacked by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored hackers, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited room for disruption and is one of the most lucrative versions of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with around 500 employees. The Ryuk attack had shut down all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.
"I cannot tell you enough in regards to the help Progent gave us throughout the most critical period of (our) companyís existence. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent group afforded us. The fact that you were able to get our e-mail and production applications back into operation quicker than five days was something I thought impossible. Each expert I worked with or e-mailed at Progent was hell bent on getting us working again and was working at all hours to bail us out."
Progent worked hand in hand the client to quickly assess and prioritize the key applications that had to be restored in order to restart business operations:
To get going, Progent followed ransomware incident response best practices by stopping the spread and cleaning up infected systems. Progent then started the work of recovering Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the businessesí financials and MRP system leveraged Microsoft SQL Server, which requires Active Directory services for authentication to the information.
- Microsoft Active Directory
- Electronic Messaging
- MRP System
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then accomplished setup and hard drive recovery of mission critical servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect local OST files (Outlook Email Off-Line Folder Files) on user desktop computers and laptops to recover email information. A not too old off-line backup of the customerís accounting/ERP software made them able to recover these vital programs back on-line. Although major work was left to recover fully from the Ryuk virus, the most important services were recovered quickly:
"For the most part, the production operation was never shut down and we made all customer sales."
During the next couple of weeks critical milestones in the recovery project were completed in tight cooperation between Progent team members and the client:
- Internal web applications were returned to operation with no loss of data.
- The MailStore Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was deployed.
- 90% of the user PCs were operational.
"A huge amount of what was accomplished in the early hours is mostly a fog for me, but my team will not forget the countless hours each of you put in to help get our business back. Iíve entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a life saver."
A potential business-killing disaster was averted through the efforts of hard-working professionals, a broad range of knowledge, and close collaboration. Although in hindsight the ransomware incident described here should have been disabled with current security technology solutions and best practices, user and IT administrator education, and well designed incident response procedures for data backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has substantial experience in ransomware virus defense, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), Iím grateful for letting me get rested after we got over the first week. All of you did an impressive job, and if any of your team is visiting the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist