Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations vulnerable to an assault. Different versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause havoc. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with frequent unnamed viruses, not only encrypt on-line files but also infect most configured system protection mechanisms. Data synchronized to cloud environments can also be corrupted. In a vulnerable data protection solution, it can render automated restore operations useless and basically knocks the datacenter back to zero.
Getting back on-line applications and data following a crypto-ransomware outage becomes a sprint against the clock as the victim struggles to stop lateral movement and remove the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are usually launched during weekends and nights, when successful attacks may take more time to identify. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.
Progent makes available a variety of services for securing Salt Lake City organizations from ransomware penetrations. Among these are staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence capabilities to rapidly discover and quarantine new threats. Progent in addition offers the assistance of seasoned crypto-ransomware recovery professionals with the skills and perseverance to rebuild a compromised system as soon as possible.
Progent's Ransomware Restoration Help
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the codes to decrypt any of your information. Kaspersky ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to piece back together the essential parts of your IT environment. Absent the availability of full data backups, this requires a broad complement of IT skills, top notch project management, and the willingness to work non-stop until the job is complete.
For two decades, Progent has made available certified expert IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience affords Progent the skills to efficiently identify necessary systems and re-organize the surviving pieces of your IT system after a ransomware event and rebuild them into an operational system.
Progent's security team utilizes powerful project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of acting rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to get essential systems back on line as soon as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Response
A small business contacted Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state criminal gangs, possibly using technology exposed from the United States National Security Agency. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most profitable versions of ransomware viruses. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area with around 500 staff members. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom (exceeding $200,000) and praying for the best, but in the end brought in Progent.
"I canít say enough about the help Progent provided us during the most critical time of (our) companyís existence. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent group afforded us. That you were able to get our messaging and production servers back online faster than 1 week was amazing. Every single expert I talked with or messaged at Progent was laser focused on getting us restored and was working 24 by 7 on our behalf."
Progent worked hand in hand the client to quickly identify and assign priority to the critical applications that needed to be restored to make it possible to continue company operations:
To begin, Progent followed Anti-virus event mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then started the process of bringing back online Windows Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the businessesí MRP applications utilized Microsoft SQL Server, which needs Windows AD for authentication to the information.
- Active Directory
- Microsoft Exchange Email
- MRP System
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then completed setup and hard drive recovery of mission critical systems. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Offline Folder Files) on team PCs and laptops to recover mail information. A not too old off-line backup of the businesses accounting/ERP systems made them able to recover these required programs back on-line. Although a large amount of work was left to recover fully from the Ryuk event, critical services were restored quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer shipments."
During the following month critical milestones in the restoration project were completed through tight collaboration between Progent engineers and the customer:
- Internal web applications were returned to operation without losing any information.
- The MailStore Server with over four million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100% functional.
- A new Palo Alto 850 firewall was deployed.
- Ninety percent of the user desktops were being used by staff.
"A lot of what occurred that first week is nearly entirely a blur for me, but I will not forget the commitment each of you accomplished to give us our business back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has come through and delivered. This time was the most impressive ever."
A possible company-ending catastrophe was avoided through the efforts of dedicated professionals, a broad spectrum of knowledge, and tight collaboration. Although in retrospect the ransomware virus penetration described here could have been identified and prevented with advanced security systems and security best practices, team education, and properly executed security procedures for backup and applying software patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we got over the first week. Everyone did an impressive job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist