Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses unprepared for an attack. Versions of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with additional as yet unnamed viruses, not only do encryption of online data but also infect all configured system backups. Files replicated to the cloud can also be encrypted. In a poorly architected environment, it can make any restore operations impossible and basically knocks the network back to square one.
Restoring programs and information after a ransomware intrusion becomes a race against time as the targeted business tries its best to stop the spread and eradicate the ransomware and to resume mission-critical activity. Because ransomware takes time to move laterally, assaults are often sprung on weekends and holidays, when attacks may take more time to discover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.
Progent offers a variety of help services for securing Southfield enterprises from ransomware events. These include staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat protection to discover and quarantine zero-day malware attacks. Progent in addition provides the services of experienced crypto-ransomware recovery consultants with the talent and commitment to rebuild a compromised network as soon as possible.
Progent's Crypto-Ransomware Restoration Services
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the codes to unencrypt any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The fallback is to re-install the critical components of your Information Technology environment. Without the availability of full data backups, this requires a wide range of IT skills, top notch project management, and the ability to work continuously until the task is done.
For twenty years, Progent has offered expert IT services for businesses across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience affords Progent the ability to efficiently determine necessary systems and re-organize the surviving parts of your IT system after a ransomware penetration and rebuild them into a functioning system.
Progent's ransomware team of experts utilizes powerful project management applications to coordinate the complex recovery process. Progent appreciates the importance of acting rapidly and together with a client's management and IT team members to prioritize tasks and to put the most important services back online as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Incident Response
A customer engaged Progent after their organization was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored cybercriminals, suspected of using algorithms exposed from America's NSA organization. Ryuk seeks specific companies with little or no ability to sustain disruption and is among the most lucrative instances of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.
"I can't tell you enough about the expertise Progent provided us throughout the most stressful time of (our) company's existence. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail system and key applications back on-line in less than a week was incredible. Each expert I got help from or texted at Progent was urgently focused on getting us back online and was working breakneck pace to bail us out."
Progent worked hand in hand the client to rapidly identify and prioritize the mission critical elements that needed to be restored in order to restart departmental operations:
To start, Progent adhered to AV/Malware Processes event response best practices by halting lateral movement and removing active viruses. Progent then started the work of rebuilding Windows Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the businesses' accounting and MRP system used Microsoft SQL, which needs Active Directory for security authorization to the databases.
- Windows Active Directory
- Exchange Server
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then helped perform setup and storage recovery of key systems. All Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers to recover mail information. A not too old offline backup of the client's manufacturing software made them able to restore these required programs back online for users. Although a large amount of work still had to be done to recover fully from the Ryuk event, core services were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we produced all customer shipments."
Over the following month important milestones in the recovery project were accomplished in tight cooperation between Progent team members and the client:
- Internal web sites were restored with no loss of data.
- The MailStore Server with over four million historical messages was brought on-line and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the user desktops and notebooks were operational.
"Much of what transpired during the initial response is nearly entirely a blur for me, but my team will not forget the dedication each of you accomplished to help get our business back. I've entrusted Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."
A probable company-ending catastrophe was avoided by results-oriented experts, a broad array of knowledge, and tight teamwork. Although in hindsight the crypto-ransomware virus attack described here would have been disabled with current security technology and recognized best practices, team training, and well thought out security procedures for information backup and proper patching controls, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we made it over the most critical parts. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Southfield
For ransomware recovery consulting in the Southfield metro area, call Progent at 800-462-8800 or go to Contact Progent.