Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that poses an extinction-level danger for organizations poorly prepared for an assault. Versions of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus frequent as yet unnamed malware, not only do encryption of on-line files but also infect all accessible system restores and backups. Data synchronized to the cloud can also be ransomed. In a poorly designed data protection solution, this can render automatic restore operations useless and basically knocks the entire system back to zero.
Retrieving applications and data following a ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain and eradicate the ransomware and to restore business-critical operations. Since ransomware needs time to replicate, attacks are usually sprung on weekends and holidays, when attacks are likely to take longer to identify. This compounds the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.
Progent makes available a variety of solutions for protecting Salt Lake City businesses from crypto-ransomware attacks. Among these are staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence technology to automatically detect and extinguish day-zero cyber attacks. Progent also offers the services of seasoned ransomware recovery professionals with the talent and perseverance to re-deploy a breached network as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed keys to unencrypt any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to piece back together the mission-critical parts of your Information Technology environment. Without access to full system backups, this requires a wide range of IT skills, well-coordinated team management, and the ability to work non-stop until the job is finished.
For decades, Progent has provided expert Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience gives Progent the capability to efficiently identify important systems and organize the remaining parts of your network system following a ransomware penetration and rebuild them into a functioning network.
Progent's security team of experts uses top notch project management systems to coordinate the complicated recovery process. Progent understands the importance of working rapidly and in concert with a client's management and IT staff to prioritize tasks and to get the most important applications back on line as soon as humanly possible.
Client Story: A Successful Ransomware Intrusion Recovery
A business sought out Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored hackers, possibly using approaches exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little room for disruption and is among the most profitable versions of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago and has about 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately made the decision to use Progent.
"I canít speak enough in regards to the expertise Progent provided us throughout the most stressful period of (our) businesses survival. We most likely would have paid the cybercriminals if not for the confidence the Progent team provided us. The fact that you could get our messaging and key applications back into operation faster than one week was something I thought impossible. Every single staff member I spoke to or messaged at Progent was laser focused on getting us back on-line and was working non-stop on our behalf."
Progent worked with the client to rapidly identify and prioritize the most important elements that had to be restored to make it possible to continue departmental operations:
To start, Progent followed ransomware event response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the process of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without AD, and the customerís financials and MRP software utilized SQL Server, which depends on Windows AD for authentication to the data.
- Active Directory
- Electronic Mail
- MRP System
In less than 48 hours, Progent was able to recover Active Directory to its pre-attack state. Progent then accomplished rebuilding and storage recovery on critical systems. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on various PCs in order to recover email messages. A recent off-line backup of the client's financials/MRP systems made it possible to return these required applications back online for users. Although significant work remained to recover fully from the Ryuk event, the most important systems were restored rapidly:
"For the most part, the production operation survived unscathed and we produced all customer sales."
Throughout the next month important milestones in the recovery process were made in close collaboration between Progent consultants and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully recovered.
- A new Palo Alto Networks 850 firewall was deployed.
- 90% of the user desktops were fully operational.
"A huge amount of what was accomplished that first week is nearly entirely a blur for me, but my management will not forget the care each and every one of the team put in to help get our company back. I have trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This event was a stunning achievement."
A likely enterprise-killing disaster was dodged through the efforts of dedicated professionals, a broad range of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware attack described here could have been identified and prevented with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, staff training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for allowing me to get some sleep after we got through the most critical parts. Everyone did an amazing job, and if any of your guys is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist