Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for organizations vulnerable to an attack. Multiple generations of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with additional unnamed malware, not only do encryption of on-line data but also infiltrate many available system restores and backups. Data synched to cloud environments can also be ransomed. In a poorly designed data protection solution, this can make automated restoration hopeless and effectively sets the network back to zero.
Retrieving services and data after a ransomware outage becomes a sprint against time as the victim fights to contain and eradicate the virus and to restore business-critical operations. Due to the fact that ransomware takes time to move laterally, penetrations are often launched during nights and weekends, when attacks may take more time to identify. This compounds the difficulty of quickly mobilizing and coordinating a qualified response team.
Progent has an assortment of support services for securing Charlotte businesses from crypto-ransomware attacks. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with AI technology to quickly identify and extinguish zero-day cyber threats. Progent also can provide the services of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed keys to unencrypt any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The other path is to piece back together the critical elements of your IT environment. Without access to full data backups, this calls for a broad complement of skill sets, professional team management, and the ability to work continuously until the task is completed.
For twenty years, Progent has made available professional IT services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience gives Progent the skills to knowledgably determine important systems and organize the surviving parts of your computer network environment following a ransomware penetration and configure them into a functioning system.
Progent's security team of experts uses best of breed project management applications to orchestrate the complicated restoration process. Progent appreciates the importance of working quickly and together with a customerís management and Information Technology team members to assign priority to tasks and to get critical systems back on-line as fast as possible.
Customer Case Study: A Successful Ransomware Attack Restoration
A customer escalated to Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored criminal gangs, possibly adopting strategies exposed from Americaís National Security Agency. Ryuk targets specific companies with limited tolerance for operational disruption and is among the most lucrative instances of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with about 500 employees. The Ryuk event had paralyzed all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end engaged Progent.
"I cannot tell you enough in regards to the support Progent provided us during the most critical period of (our) businesses existence. We had little choice but to pay the Hackers if not for the confidence the Progent team afforded us. The fact that you could get our e-mail system and key servers back quicker than 1 week was incredible. Each person I spoke to or messaged at Progent was hell bent on getting us back on-line and was working 24/7 to bail us out."
Progent worked with the customer to quickly get our arms around and prioritize the key elements that needed to be recovered in order to resume business functions:
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by isolating and removing active viruses. Progent then initiated the process of restoring Microsoft AD, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not function without Active Directory, and the client's MRP software leveraged Microsoft SQL, which depends on Active Directory services for security authorization to the databases.
- Windows Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then completed setup and hard drive recovery on essential servers. All Microsoft Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble local OST files (Outlook Email Offline Data Files) on team PCs to recover mail messages. A not too old off-line backup of the customerís accounting/MRP systems made them able to return these vital programs back on-line. Although a large amount of work was left to recover completely from the Ryuk damage, essential services were restored quickly:
"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer sales."
Over the next few weeks critical milestones in the recovery process were accomplished in close collaboration between Progent consultants and the customer:
- Self-hosted web sites were brought back up without losing any data.
- The MailStore Server containing more than four million historical emails was brought online and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control modules were 100% functional.
- A new Palo Alto Networks 850 firewall was set up.
- 90% of the desktop computers were back into operation.
"A lot of what was accomplished those first few days is mostly a blur for me, but my team will not forget the care all of your team accomplished to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a stunning achievement."
A likely business catastrophe was evaded with dedicated professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in post mortem the ransomware attack described here would have been blocked with current security solutions and recognized best practices, team education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thank you for letting me get rested after we made it through the initial fire. Everyone did an incredible job, and if anyone is in the Chicago area, a great meal is on me!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Charlotte
For ransomware system recovery expertise in the Charlotte area, call Progent at 800-462-8800 or visit Contact Progent.