Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for organizations vulnerable to an attack. Versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause harm. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, plus additional as yet unnamed malware, not only do encryption of on-line data files but also infiltrate any accessible system backup. Data replicated to the cloud can also be corrupted. In a poorly architected data protection solution, this can make automatic recovery hopeless and basically sets the datacenter back to square one.
Getting back online services and data following a ransomware intrusion becomes a race against the clock as the victim fights to contain and clear the virus and to restore business-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, assaults are frequently sprung during nights and weekends, when successful penetrations typically take longer to notice. This multiplies the difficulty of rapidly mobilizing and coordinating a knowledgeable response team.
Progent has a variety of services for securing Des Moines enterprises from ransomware penetrations. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat defense to discover and disable zero-day modern malware attacks. Progent also provides the assistance of experienced crypto-ransomware recovery consultants with the talent and commitment to rebuild a breached network as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the codes to unencrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to re-install the essential elements of your IT environment. Absent the availability of complete system backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is over.
For decades, Progent has made available expert Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to quickly identify important systems and re-organize the remaining pieces of your computer network environment following a ransomware attack and assemble them into a functioning system.
Progent's recovery group utilizes best of breed project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of acting rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to put critical applications back on-line as soon as possible.
Business Case Study: A Successful Ransomware Attack Recovery
A business escalated to Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state hackers, possibly using technology exposed from the U.S. NSA organization. Ryuk targets specific businesses with little room for operational disruption and is among the most lucrative incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200,000) and praying for good luck, but ultimately called Progent.
"I can't say enough in regards to the expertise Progent gave us throughout the most fearful period of (our) businesses existence. We may have had to pay the hackers behind this attack if it wasn't for the confidence the Progent group afforded us. That you were able to get our e-mail and key servers back into operation quicker than one week was earth shattering. Each staff member I spoke to or e-mailed at Progent was totally committed on getting our company operational and was working at all hours to bail us out."
Progent worked with the client to quickly identify and assign priority to the critical services that had to be addressed in order to resume company operations:
To start, Progent followed ransomware incident response best practices by isolating and performing virus removal steps. Progent then started the steps of recovering Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not operate without AD, and the businesses' accounting and MRP system utilized Microsoft SQL Server, which needs Active Directory for access to the database.
- Microsoft Active Directory
- Electronic Messaging
Within 2 days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then charged ahead with setup and hard drive recovery on critical systems. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Off-Line Data Files) on various desktop computers in order to recover mail data. A recent offline backup of the customer's financials/ERP software made them able to return these required programs back on-line. Although significant work needed to be completed to recover totally from the Ryuk attack, the most important systems were returned to operations quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer orders."
During the next month important milestones in the recovery process were completed through close collaboration between Progent consultants and the client:
- Self-hosted web applications were brought back up without losing any information.
- The MailStore Exchange Server containing more than 4 million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely restored.
- A new Palo Alto 850 security appliance was brought on-line.
- Ninety percent of the user PCs were back into operation.
"A lot of what was accomplished during the initial response is mostly a haze for me, but our team will not soon forget the care each of your team put in to help get our company back. I've entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a life saver."
A likely company-ending catastrophe was evaded by results-oriented professionals, a wide array of knowledge, and tight teamwork. Although in post mortem the ransomware penetration described here would have been identified and stopped with up-to-date cyber security systems and ISO/IEC 27001 best practices, user education, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I'm grateful for making it so I could get rested after we got over the first week. Everyone did an fabulous effort, and if anyone is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Des Moines
For ransomware cleanup services in the Des Moines metro area, phone Progent at 800-462-8800 or visit Contact Progent.