Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level threat for organizations vulnerable to an attack. Versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and still cause havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with daily unnamed viruses, not only do encryption of on-line data but also infect most configured system protection. Information replicated to cloud environments can also be corrupted. In a poorly architected system, this can render automatic recovery hopeless and basically knocks the entire system back to square one.
Restoring applications and information following a ransomware attack becomes a race against time as the victim fights to contain the damage and cleanup the virus and to resume mission-critical operations. Due to the fact that ransomware takes time to move laterally, penetrations are frequently launched on weekends, when attacks may take more time to discover. This compounds the difficulty of rapidly marshalling and coordinating an experienced mitigation team.
Progent has an assortment of support services for securing Southfield organizations from ransomware events. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security appliances with machine learning technology to intelligently detect and disable new cyber attacks. Progent also can provide the assistance of experienced ransomware recovery consultants with the talent and perseverance to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the needed codes to unencrypt any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The fallback is to re-install the critical components of your Information Technology environment. Absent the availability of essential system backups, this requires a wide complement of skills, well-coordinated team management, and the willingness to work non-stop until the recovery project is over.
For twenty years, Progent has made available professional IT services for companies across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise provides Progent the capability to knowledgably ascertain important systems and consolidate the surviving components of your network environment following a crypto-ransomware attack and assemble them into an operational network.
Progent's security team has state-of-the-art project management tools to orchestrate the complex recovery process. Progent appreciates the importance of working swiftly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to put essential services back on line as fast as possible.
Client Story: A Successful Crypto-Ransomware Attack Recovery
A small business hired Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean state cybercriminals, possibly using algorithms exposed from Americaís NSA organization. Ryuk targets specific organizations with limited room for disruption and is one of the most lucrative instances of crypto-ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but ultimately made the decision to use Progent.
"I canít say enough in regards to the help Progent gave us during the most stressful period of (our) businesses life. We had little choice but to pay the cybercriminals except for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and critical servers back into operation in less than one week was earth shattering. Each person I got help from or communicated with at Progent was urgently focused on getting us operational and was working breakneck pace to bail us out."
Progent worked with the customer to rapidly understand and assign priority to the essential applications that needed to be addressed to make it possible to restart departmental functions:
To get going, Progent adhered to ransomware penetration mitigation best practices by isolating and removing active viruses. Progent then began the process of restoring Active Directory, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the customerís financials and MRP applications utilized SQL Server, which requires Active Directory for access to the database.
- Windows Active Directory
- Microsoft Exchange
- MRP System
Within two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then performed setup and hard drive recovery of the most important servers. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to collect local OST files (Microsoft Outlook Offline Folder Files) on staff workstations to recover mail data. A recent off-line backup of the client's financials/MRP systems made them able to recover these required applications back on-line. Although significant work was left to recover totally from the Ryuk attack, critical services were restored quickly:
"For the most part, the production manufacturing operation was never shut down and we produced all customer deliverables."
Over the next month important milestones in the restoration project were completed in close collaboration between Progent consultants and the client:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were fully recovered.
- A new Palo Alto 850 firewall was installed and configured.
- Nearly all of the desktop computers were functioning as before the incident.
"So much of what occurred in the initial days is nearly entirely a fog for me, but I will not forget the urgency each and every one of the team put in to give us our business back. Iíve been working together with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."
A likely enterprise-killing catastrophe was averted with top-tier experts, a wide array of IT skills, and close collaboration. Although in retrospect the ransomware penetration detailed here should have been identified and stopped with current security technology and security best practices, team education, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get some sleep after we made it through the initial fire. All of you did an fabulous job, and if any of your team is in the Chicago area, dinner is on me!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist