Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for organizations vulnerable to an assault. Different iterations of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus frequent unnamed viruses, not only do encryption of on-line data but also infiltrate all configured system protection. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make any restore operations impossible and effectively sets the entire system back to zero.
Getting back on-line applications and information following a ransomware outage becomes a sprint against the clock as the victim tries its best to stop lateral movement and clear the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware needs time to replicate, penetrations are frequently launched during weekends and nights, when penetrations in many cases take more time to recognize. This compounds the difficulty of rapidly assembling and organizing a qualified response team.
Progent offers a variety of support services for securing Manaus enterprises from crypto-ransomware penetrations. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat protection to discover and quarantine day-zero modern malware attacks. Progent in addition offers the services of experienced ransomware recovery professionals with the track record and commitment to re-deploy a compromised network as urgently as possible.
Progent's Ransomware Restoration Help
Following a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the codes to unencrypt any of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The fallback is to setup from scratch the vital parts of your Information Technology environment. Absent the availability of full data backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work continuously until the recovery project is finished.
For two decades, Progent has made available certified expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience gives Progent the capability to quickly ascertain important systems and organize the remaining pieces of your IT environment following a crypto-ransomware attack and configure them into an operational network.
Progent's recovery team of experts uses state-of-the-art project management systems to coordinate the complicated recovery process. Progent appreciates the importance of acting quickly and in unison with a customer's management and Information Technology resources to prioritize tasks and to put essential systems back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Penetration Response
A customer hired Progent after their company was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, suspected of using techniques leaked from the U.S. NSA organization. Ryuk seeks specific businesses with little room for operational disruption and is among the most lucrative iterations of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with around 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I cannot say enough in regards to the help Progent gave us during the most stressful time of (our) businesses existence. We may have had to pay the cyber criminals if it wasn't for the confidence the Progent group provided us. That you were able to get our messaging and important servers back online faster than five days was something I thought impossible. Every single staff member I talked with or messaged at Progent was hell bent on getting our system up and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly understand and assign priority to the most important services that needed to be restored in order to resume company functions:
To start, Progent followed AV/Malware Processes incident response industry best practices by stopping the spread and performing virus removal steps. Progent then started the steps of restoring Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without AD, and the customer's financials and MRP applications leveraged SQL Server, which needs Windows AD for authentication to the data.
- Active Directory (AD)
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery of the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find intact OST files (Outlook Email Offline Data Files) on staff workstations in order to recover mail data. A recent off-line backup of the businesses accounting/ERP software made them able to recover these required applications back available to users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, critical services were returned to operations quickly:
"For the most part, the manufacturing operation did not miss a beat and we delivered all customer shipments."
Throughout the next month important milestones in the recovery process were accomplished in tight cooperation between Progent team members and the client:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Server exceeding 4 million historical emails was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- 90% of the user desktops and notebooks were being used by staff.
"A huge amount of what went on in the initial days is mostly a haze for me, but my team will not soon forget the dedication all of the team accomplished to give us our company back. I have utilized Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was the most impressive ever."
A potential business-ending disaster was avoided through the efforts of dedicated experts, a wide spectrum of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware virus attack detailed here could have been disabled with current cyber security technology and recognized best practices, user and IT administrator training, and properly executed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for allowing me to get rested after we made it through the most critical parts. All of you did an incredible effort, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Manaus
For ransomware cleanup consulting in the Manaus area, call Progent at 800-462-8800 or visit Contact Progent.