Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses vulnerable to an assault. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus more as yet unnamed viruses, not only do encryption of online information but also infect all accessible system backups. Data synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can make automated restore operations useless and effectively sets the entire system back to zero.
Getting back on-line applications and information following a ransomware intrusion becomes a race against time as the victim struggles to contain the damage and eradicate the virus and to restore enterprise-critical activity. Due to the fact that ransomware takes time to replicate, penetrations are usually launched during nights and weekends, when attacks in many cases take more time to recognize. This multiplies the difficulty of promptly mobilizing and organizing a qualified mitigation team.
Progent offers a variety of support services for securing Sandy Springs organizations from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security gateways with machine learning technology to intelligently detect and suppress zero-day cyber threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the track record and commitment to reconstruct a breached system as quickly as possible.
Progent's Ransomware Restoration Services
After a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to re-install the essential parts of your IT environment. Absent the availability of essential system backups, this requires a broad complement of IT skills, top notch team management, and the ability to work continuously until the job is done.
For decades, Progent has provided certified expert IT services for companies across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise gives Progent the capability to efficiently ascertain critical systems and consolidate the remaining pieces of your Information Technology environment following a ransomware penetration and rebuild them into a functioning system.
Progent's security team of experts deploys powerful project management systems to orchestrate the complex restoration process. Progent appreciates the urgency of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to get critical services back online as soon as humanly possible.
Customer Story: A Successful Ransomware Incident Response
A client hired Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, suspected of adopting strategies exposed from the U.S. NSA organization. Ryuk attacks specific companies with little or no room for operational disruption and is one of the most lucrative examples of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area with around 500 workers. The Ryuk event had brought down all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and praying for the best, but in the end made the decision to use Progent.
"I canít say enough in regards to the care Progent gave us throughout the most fearful period of (our) companyís existence. We may have had to pay the cybercriminals except for the confidence the Progent team gave us. That you could get our e-mail system and critical servers back sooner than five days was something I thought impossible. Every single expert I interacted with or communicated with at Progent was laser focused on getting us restored and was working 24/7 to bail us out."
Progent worked with the client to rapidly identify and prioritize the essential systems that needed to be recovered to make it possible to continue departmental functions:
To start, Progent adhered to ransomware incident mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the work of bringing back online Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the client's accounting and MRP applications leveraged Microsoft SQL Server, which depends on Windows AD for security authorization to the databases.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on key applications. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Folder Files) on user workstations and laptops in order to recover email data. A not too old offline backup of the businesses financials/ERP software made it possible to restore these required applications back on-line. Although major work was left to recover completely from the Ryuk damage, critical services were restored rapidly:
"For the most part, the assembly line operation survived unscathed and we delivered all customer deliverables."
During the following few weeks important milestones in the restoration process were made in close cooperation between Progent consultants and the client:
- Self-hosted web sites were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory capabilities were 100% recovered.
- A new Palo Alto 850 security appliance was deployed.
- Ninety percent of the desktops and laptops were back into operation.
"Much of what was accomplished in the early hours is mostly a blur for me, but we will not forget the commitment all of the team put in to give us our business back. I have utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This time was the most impressive ever."
A probable business disaster was dodged through the efforts of dedicated professionals, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the ransomware incident detailed here would have been blocked with current security systems and recognized best practices, team education, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for letting me get rested after we got over the initial push. Everyone did an fabulous job, and if anyone is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist