Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyberplague that represents an extinction-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, along with daily as yet unnamed malware, not only encrypt on-line critical data but also infect any accessible system restores and backups. Data synchronized to the cloud can also be encrypted. In a poorly designed data protection solution, this can render automated recovery impossible and basically sets the network back to zero.
Restoring programs and data following a crypto-ransomware intrusion becomes a sprint against the clock as the victim struggles to stop the spread and remove the ransomware and to resume business-critical operations. Since ransomware requires time to spread, attacks are usually sprung during weekends and nights, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of quickly mobilizing and organizing an experienced response team.
Progent provides an assortment of services for securing Dallas businesses from crypto-ransomware events. Among these are staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security appliances with AI technology to intelligently detect and disable zero-day threats. Progent in addition provides the assistance of veteran ransomware recovery professionals with the skills and perseverance to restore a compromised system as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the codes to decrypt any of your files. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The other path is to piece back together the vital components of your IT environment. Absent access to complete system backups, this requires a wide complement of IT skills, top notch team management, and the capability to work non-stop until the task is complete.
For decades, Progent has offered expert Information Technology services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the ability to efficiently determine necessary systems and organize the surviving pieces of your Information Technology system after a crypto-ransomware attack and configure them into a functioning network.
Progent's security team of experts has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent knows the urgency of acting swiftly and together with a customerís management and Information Technology team members to assign priority to tasks and to put the most important systems back on-line as soon as possible.
Business Case Study: A Successful Ransomware Virus Restoration
A client engaged Progent after their organization was attacked by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state cybercriminals, possibly adopting strategies exposed from Americaís NSA organization. Ryuk goes after specific organizations with limited room for operational disruption and is among the most profitable instances of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and hoping for good luck, but in the end called Progent.
"I cannot speak enough in regards to the support Progent provided us during the most fearful time of (our) businesses life. We had little choice but to pay the cybercriminals except for the confidence the Progent team gave us. That you could get our e-mail and key servers back online sooner than a week was amazing. Each expert I spoke to or e-mailed at Progent was totally committed on getting us working again and was working 24 by 7 on our behalf."
Progent worked hand in hand the client to quickly determine and prioritize the critical elements that had to be recovered in order to restart departmental functions:
To begin, Progent followed AV/Malware Processes incident response industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the work of restoring Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not function without AD, and the customerís financials and MRP software leveraged Microsoft SQL Server, which needs Active Directory services for access to the database.
- Active Directory
- MRP System
In less than 2 days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery on the most important servers. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate intact OST files (Outlook Off-Line Data Files) on staff PCs to recover email data. A not too old offline backup of the client's accounting/ERP software made them able to recover these essential services back online. Although significant work was left to recover completely from the Ryuk damage, the most important systems were recovered rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer sales."
Throughout the next couple of weeks key milestones in the recovery project were made through tight collaboration between Progent engineers and the customer:
- Internal web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was brought online and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100 percent operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Nearly all of the user workstations were being used by staff.
"A lot of what happened in the early hours is nearly entirely a fog for me, but I will not forget the care each of the team accomplished to give us our company back. I have been working together with Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was a stunning achievement."
A possible enterprise-killing disaster was averted with hard-working professionals, a wide array of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware penetration detailed here could have been identified and stopped with advanced cyber security technology and security best practices, team training, and properly executed security procedures for information backup and applying software patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus defense, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for allowing me to get some sleep after we made it over the initial fire. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist