Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyber pandemic that poses an enterprise-level danger for organizations vulnerable to an attack. Different versions of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to cause harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, as well as additional unnamed malware, not only do encryption of on-line information but also infect most available system protection mechanisms. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, it can render any recovery useless and basically sets the network back to zero.
Getting back services and information following a ransomware intrusion becomes a sprint against the clock as the victim struggles to stop the spread and remove the virus and to resume business-critical activity. Since crypto-ransomware needs time to move laterally, attacks are often sprung on weekends, when successful attacks may take longer to detect. This compounds the difficulty of quickly assembling and organizing a capable response team.
Progent offers a range of help services for securing Charlotte enterprises from crypto-ransomware penetrations. Among these are user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with artificial intelligence technology to quickly detect and quarantine day-zero cyber threats. Progent also provides the assistance of expert ransomware recovery engineers with the talent and commitment to rebuild a compromised network as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed keys to decipher any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to re-install the mission-critical parts of your IT environment. Without access to essential data backups, this calls for a wide range of skills, professional project management, and the ability to work non-stop until the task is over.
For decades, Progent has provided professional Information Technology services for companies throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify important systems and organize the surviving components of your computer network system following a crypto-ransomware attack and configure them into a functioning system.
Progent's ransomware team of experts deploys powerful project management systems to orchestrate the complicated restoration process. Progent understands the urgency of working quickly and in concert with a client's management and IT resources to prioritize tasks and to get the most important systems back on line as fast as possible.
Client Story: A Successful Crypto-Ransomware Attack Response
A client escalated to Progent after their company was attacked by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state cybercriminals, possibly using approaches exposed from the U.S. National Security Agency. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is among the most profitable examples of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area with about 500 workers. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (in excess of $200,000) and praying for the best, but ultimately called Progent.
"I cannot thank you enough in regards to the care Progent gave us throughout the most critical period of (our) companyís life. We had little choice but to pay the cyber criminals except for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and critical applications back online in less than seven days was amazing. Every single consultant I spoke to or communicated with at Progent was laser focused on getting us working again and was working 24 by 7 on our behalf."
Progent worked with the customer to quickly determine and prioritize the most important applications that needed to be restored to make it possible to restart business functions:
To get going, Progent adhered to ransomware penetration response best practices by halting the spread and removing active viruses. Progent then started the process of rebuilding Microsoft Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the customerís financials and MRP software used Microsoft SQL, which requires Active Directory services for security authorization to the database.
- Active Directory
- Electronic Messaging
In less than two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then helped perform setup and hard drive recovery of needed servers. All Exchange data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Data Files) on team workstations and laptops to recover email messages. A not too old offline backup of the client's manufacturing software made them able to restore these required applications back on-line. Although significant work still had to be done to recover totally from the Ryuk damage, the most important services were returned to operations quickly:
"For the most part, the production manufacturing operation showed little impact and we made all customer shipments."
During the following couple of weeks critical milestones in the restoration process were achieved through tight collaboration between Progent consultants and the customer:
- Self-hosted web applications were returned to operation without losing any data.
- The MailStore Exchange Server with over four million archived messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
- A new Palo Alto Networks 850 firewall was deployed.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what was accomplished in the initial days is nearly entirely a fog for me, but my management will not forget the countless hours each and every one of you accomplished to give us our business back. I have been working with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This situation was the most impressive ever."
A potential business-killing disaster was averted due to results-oriented professionals, a wide range of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here would have been stopped with modern security solutions and NIST Cybersecurity Framework best practices, team training, and well designed incident response procedures for information backup and applying software patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), Iím grateful for making it so I could get rested after we made it through the most critical parts. Everyone did an impressive effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist