Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a modern cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an assault. Different versions of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause damage. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as frequent unnamed newcomers, not only do encryption of online files but also infect all configured system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, it can make automatic recovery hopeless and effectively knocks the datacenter back to zero.
Getting back on-line programs and information following a ransomware event becomes a sprint against time as the victim fights to stop lateral movement and eradicate the virus and to resume mission-critical operations. Because ransomware needs time to spread, assaults are frequently sprung on weekends and holidays, when penetrations are likely to take longer to notice. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable response team.
Progent has a range of help services for protecting Colorado Springs organizations from crypto-ransomware attacks. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat protection to identify and quarantine zero-day malware attacks. Progent in addition offers the services of veteran ransomware recovery consultants with the skills and perseverance to restore a breached network as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the needed codes to decipher any or all of your information. Kaspersky determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to piece back together the key elements of your Information Technology environment. Without access to full data backups, this calls for a broad range of IT skills, well-coordinated project management, and the capability to work non-stop until the recovery project is complete.
For two decades, Progent has provided expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the capability to rapidly determine critical systems and re-organize the surviving pieces of your network system after a ransomware penetration and assemble them into an operational network.
Progent's ransomware team of experts utilizes top notch project management tools to orchestrate the complicated recovery process. Progent understands the importance of working swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to get essential services back on line as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Intrusion Response
A client sought out Progent after their network was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored hackers, possibly using technology exposed from America's NSA organization. Ryuk goes after specific businesses with little or no room for operational disruption and is one of the most lucrative iterations of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.
"I can't tell you enough about the expertise Progent gave us during the most fearful period of (our) company's existence. We had little choice but to pay the cybercriminals except for the confidence the Progent group gave us. That you could get our messaging and important applications back in less than five days was amazing. Each expert I worked with or e-mailed at Progent was hell bent on getting us operational and was working non-stop on our behalf."
Progent worked with the customer to rapidly determine and assign priority to the critical elements that needed to be addressed to make it possible to restart business functions:
To begin, Progent followed AV/Malware Processes incident response best practices by stopping lateral movement and removing active viruses. Progent then started the work of bringing back online Microsoft AD, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the customer's accounting and MRP system utilized Microsoft SQL Server, which depends on Active Directory for authentication to the data.
- Windows Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of essential systems. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Off-Line Data Files) on various desktop computers and laptops to recover mail messages. A not too old offline backup of the businesses accounting/MRP software made them able to recover these vital services back available to users. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer orders."
Over the following couple of weeks critical milestones in the recovery process were made in tight cooperation between Progent engineers and the client:
- In-house web applications were brought back up with no loss of data.
- The MailStore Exchange Server containing more than four million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory modules were completely functional.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- 90% of the user desktops were back into operation.
"So much of what occurred during the initial response is mostly a fog for me, but my management will not forget the commitment each and every one of the team put in to help get our company back. I have utilized Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This situation was a Herculean accomplishment."
A probable business-ending catastrophe was averted through the efforts of results-oriented experts, a wide array of knowledge, and tight teamwork. Although in retrospect the ransomware incident detailed here would have been identified and blocked with modern security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out incident response procedures for information backup and proper patching controls, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), I'm grateful for allowing me to get rested after we made it past the first week. All of you did an incredible effort, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Colorado Springs
For ransomware system recovery consulting services in the Colorado Springs metro area, phone Progent at 800-462-8800 or visit Contact Progent.