Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses vulnerable to an assault. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict harm. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as frequent as yet unnamed newcomers, not only encrypt online critical data but also infiltrate many configured system protection. Files replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can render any restoration useless and basically knocks the datacenter back to square one.
Getting back on-line programs and data following a ransomware outage becomes a sprint against time as the victim tries its best to contain and eradicate the virus and to resume mission-critical operations. Due to the fact that crypto-ransomware requires time to replicate, attacks are usually launched during weekends and nights, when successful penetrations in many cases take longer to detect. This compounds the difficulty of promptly assembling and orchestrating a qualified mitigation team.
Progent has a variety of support services for protecting Des Moines organizations from ransomware penetrations. Among these are team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with AI capabilities to automatically detect and disable zero-day cyber attacks. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the skills and perseverance to rebuild a compromised system as quickly as possible.
Progent's Ransomware Restoration Services
After a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed codes to unencrypt all your information. Kaspersky ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The fallback is to piece back together the critical elements of your IT environment. Absent access to essential data backups, this calls for a broad complement of IT skills, professional project management, and the capability to work 24x7 until the recovery project is completed.
For twenty years, Progent has offered certified expert Information Technology services for companies across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience gives Progent the skills to rapidly identify critical systems and integrate the remaining pieces of your Information Technology system following a crypto-ransomware attack and configure them into a functioning network.
Progent's ransomware team of experts deploys state-of-the-art project management systems to coordinate the complicated restoration process. Progent appreciates the importance of working swiftly and together with a customerís management and Information Technology staff to assign priority to tasks and to get key services back on line as soon as possible.
Client Story: A Successful Ransomware Incident Response
A client hired Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, possibly using algorithms exposed from the United States NSA organization. Ryuk targets specific businesses with little or no ability to sustain disruption and is among the most profitable examples of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area and has about 500 workers. The Ryuk penetration had frozen all business operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end reached out to Progent.
"I cannot tell you enough about the care Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts provided us. The fact that you could get our messaging and essential servers back on-line quicker than one week was something I thought impossible. Each staff member I spoke to or texted at Progent was amazingly focused on getting our company operational and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly assess and prioritize the key elements that had to be recovered to make it possible to resume company operations:
To get going, Progent followed ransomware event mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the task of rebuilding Microsoft AD, the core of enterprise networks built on Microsoft technology. Exchange messaging will not work without AD, and the client's MRP system leveraged Microsoft SQL, which requires Active Directory services for security authorization to the information.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery on essential servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Offline Folder Files) on user desktop computers to recover mail data. A not too old offline backup of the businesses manufacturing systems made them able to return these essential programs back on-line. Although a large amount of work still had to be done to recover totally from the Ryuk attack, core systems were recovered rapidly:
"For the most part, the manufacturing operation did not miss a beat and we delivered all customer sales."
During the following couple of weeks important milestones in the restoration project were made through tight cooperation between Progent team members and the customer:
- Internal web sites were returned to operation with no loss of information.
- The MailStore Server containing more than four million archived messages was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were completely functional.
- A new Palo Alto Networks 850 firewall was set up.
- Most of the user PCs were operational.
"A lot of what went on that first week is mostly a haze for me, but our team will not soon forget the commitment all of your team accomplished to help get our business back. I have trusted Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This event was a testament to your capabilities."
A likely enterprise-killing catastrophe was averted due to results-oriented experts, a broad array of knowledge, and tight collaboration. Although in hindsight the ransomware attack described here could have been identified and prevented with current security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for data backup and applying software patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for letting me get some sleep after we got through the initial fire. All of you did an fabulous effort, and if anyone is around the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist