Crypto-Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for organizations vulnerable to an attack. Different versions of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, plus more unnamed newcomers, not only encrypt online data but also infect most accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, this can make automated restoration hopeless and effectively knocks the entire system back to square one.
Getting back online programs and information after a ransomware outage becomes a race against time as the victim struggles to stop lateral movement and cleanup the ransomware and to resume mission-critical operations. Because ransomware needs time to spread, attacks are frequently launched on weekends, when successful attacks in many cases take more time to notice. This compounds the difficulty of promptly marshalling and coordinating a knowledgeable response team.
Progent has a variety of services for securing Sandy Springs enterprises from ransomware penetrations. These include team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat protection to identify and extinguish day-zero malware attacks. Progent in addition can provide the assistance of veteran crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as quickly as possible.
Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed codes to unencrypt any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The other path is to piece back together the critical parts of your IT environment. Without access to full system backups, this calls for a broad complement of skills, well-coordinated project management, and the capability to work 24x7 until the job is complete.
For decades, Progent has offered certified expert IT services for companies across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience affords Progent the capability to knowledgably understand important systems and organize the remaining components of your network system after a crypto-ransomware event and assemble them into a functioning system.
Progent's ransomware group utilizes state-of-the-art project management applications to orchestrate the complex recovery process. Progent appreciates the urgency of working rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get key systems back on line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business escalated to Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting approaches leaked from America's National Security Agency. Ryuk attacks specific businesses with limited ability to sustain disruption and is one of the most lucrative instances of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago and has around 500 workers. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's backups had been on-line at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and hoping for the best, but ultimately utilized Progent.
"I cannot speak enough about the help Progent provided us throughout the most critical period of (our) businesses existence. We had little choice but to pay the hackers behind this attack except for the confidence the Progent group afforded us. The fact that you could get our e-mail system and key servers back in less than seven days was amazing. Every single expert I got help from or texted at Progent was laser focused on getting us back on-line and was working 24/7 on our behalf."
Progent worked together with the customer to rapidly understand and prioritize the most important areas that needed to be restored in order to resume departmental functions:
To begin, Progent adhered to Anti-virus event mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then began the process of bringing back online Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without AD, and the client's accounting and MRP software utilized Microsoft SQL Server, which depends on Windows AD for authentication to the information.
- Microsoft Active Directory
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on critical servers. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Offline Data Files) on staff desktop computers and laptops to recover email information. A recent off-line backup of the customer's accounting systems made it possible to restore these essential services back on-line. Although significant work remained to recover fully from the Ryuk attack, critical systems were restored rapidly:
"For the most part, the production manufacturing operation showed little impact and we did not miss any customer sales."
During the next few weeks critical milestones in the restoration project were completed in close collaboration between Progent engineers and the customer:
- In-house web applications were restored with no loss of information.
- The MailStore Server with over four million archived messages was brought online and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were fully functional.
- A new Palo Alto 850 firewall was deployed.
- Most of the desktops and laptops were fully operational.
"Much of what went on those first few days is mostly a haze for me, but my team will not forget the countless hours each and every one of you accomplished to help get our company back. I've been working together with Progent for at least 10 years, maybe more, and every time Progent has shined and delivered as promised. This event was the most impressive ever."
A possible company-ending disaster was avoided by hard-working experts, a wide spectrum of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware virus incident detailed here could have been blocked with up-to-date cyber security systems and best practices, staff education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get some sleep after we made it through the first week. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Sandy Springs
For ransomware system recovery consulting services in the Sandy Springs metro area, call Progent at 800-462-8800 or see Contact Progent.