Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyberplague that presents an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to inflict havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with frequent as yet unnamed newcomers, not only encrypt on-line information but also infiltrate many accessible system protection. Files synched to the cloud can also be ransomed. In a vulnerable data protection solution, it can make any restore operations hopeless and basically sets the entire system back to square one.
Getting back online services and data following a ransomware outage becomes a sprint against the clock as the targeted organization fights to contain and remove the virus and to restore enterprise-critical activity. Since ransomware takes time to spread, attacks are frequently sprung during weekends and nights, when attacks typically take more time to identify. This compounds the difficulty of quickly marshalling and organizing a knowledgeable response team.
Progent has an assortment of solutions for securing Dayton businesses from ransomware attacks. Among these are team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to identify and suppress day-zero malware assaults. Progent also offers the services of veteran ransomware recovery professionals with the talent and commitment to restore a compromised network as urgently as possible.
Progent's Ransomware Recovery Support Services
Following a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt all your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to re-install the key parts of your Information Technology environment. Without the availability of complete system backups, this requires a wide complement of skill sets, well-coordinated project management, and the ability to work continuously until the job is done.
For twenty years, Progent has provided expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience provides Progent the capability to quickly determine important systems and organize the surviving parts of your Information Technology environment after a crypto-ransomware event and configure them into a functioning network.
Progent's security team uses state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of working quickly and together with a customer's management and IT staff to prioritize tasks and to get essential services back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business hired Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored cybercriminals, suspected of using algorithms leaked from the United States NSA organization. Ryuk goes after specific companies with little or no room for operational disruption and is among the most lucrative versions of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has around 500 staff members. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. Most of the client's backups had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but ultimately called Progent.
"I cannot thank you enough about the care Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the cybercriminals except for the confidence the Progent experts afforded us. The fact that you could get our e-mail and important servers back on-line in less than a week was earth shattering. Each expert I talked with or communicated with at Progent was absolutely committed on getting us back on-line and was working 24 by 7 to bail us out."
Progent worked together with the customer to quickly determine and assign priority to the essential applications that had to be recovered to make it possible to resume company operations:
To begin, Progent adhered to AV/Malware Processes event response best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of restoring Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the businesses' accounting and MRP software utilized Microsoft SQL, which needs Active Directory for access to the databases.
- Windows Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery on key systems. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Off-Line Data Files) on various workstations in order to recover email data. A recent off-line backup of the client's manufacturing systems made it possible to return these essential programs back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the production line operation showed little impact and we produced all customer shipments."
Throughout the next few weeks critical milestones in the restoration project were completed through close collaboration between Progent engineers and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Exchange Server containing more than 4 million historical messages was brought on-line and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were completely operational.
- A new Palo Alto 850 firewall was installed.
- Ninety percent of the user desktops and notebooks were fully operational.
"Much of what was accomplished that first week is nearly entirely a blur for me, but my management will not forget the dedication each and every one of the team put in to help get our company back. I've entrusted Progent for the past 10 years, possibly more, and every time Progent has shined and delivered. This event was a Herculean accomplishment."
A potential business catastrophe was averted by hard-working professionals, a broad spectrum of knowledge, and tight collaboration. Although in retrospect the crypto-ransomware virus attack described here should have been stopped with up-to-date security technology and security best practices, staff education, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), I'm grateful for allowing me to get some sleep after we made it past the first week. All of you did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Dayton
For ransomware cleanup services in the Dayton metro area, call Progent at 800-462-8800 or see Contact Progent.