Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyber pandemic that poses an existential threat for businesses poorly prepared for an assault. Different versions of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with more unnamed newcomers, not only do encryption of online information but also infect many configured system restores and backups. Files replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, it can make automated restoration hopeless and basically knocks the entire system back to zero.
Getting back online applications and information following a ransomware attack becomes a sprint against the clock as the targeted business struggles to stop lateral movement and cleanup the ransomware and to resume enterprise-critical operations. Since ransomware takes time to spread, penetrations are often sprung on weekends, when successful attacks tend to take longer to recognize. This compounds the difficulty of quickly mobilizing and coordinating an experienced response team.
Progent provides a range of services for securing Edison businesses from crypto-ransomware events. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with machine learning technology to quickly identify and quarantine zero-day cyber threats. Progent also can provide the assistance of seasoned ransomware recovery professionals with the talent and perseverance to rebuild a breached environment as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Following a crypto-ransomware event, even paying the ransom in cryptocurrency does not guarantee that distant criminals will provide the needed codes to unencrypt any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The alternative is to piece back together the vital parts of your Information Technology environment. Without access to complete information backups, this calls for a broad range of skill sets, professional project management, and the ability to work non-stop until the job is completed.
For decades, Progent has made available certified expert IT services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand necessary systems and consolidate the remaining pieces of your IT system after a ransomware penetration and rebuild them into an operational network.
Progent's security team has state-of-the-art project management systems to coordinate the complex restoration process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put essential systems back online as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business engaged Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of adopting strategies exposed from the United States NSA organization. Ryuk attacks specific organizations with little room for disruption and is among the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago with around 500 staff members. The Ryuk attack had disabled all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (in excess of $200K) and praying for good luck, but ultimately called Progent.
"I canít tell you enough in regards to the care Progent gave us during the most fearful time of (our) businesses survival. We had little choice but to pay the criminal gangs if not for the confidence the Progent team gave us. That you were able to get our e-mail and essential servers back in less than a week was amazing. Each staff member I spoke to or e-mailed at Progent was hell bent on getting us restored and was working all day and night on our behalf."
Progent worked hand in hand the customer to rapidly understand and prioritize the key applications that needed to be addressed to make it possible to continue departmental operations:
To begin, Progent followed AV/Malware Processes incident response industry best practices by halting the spread and cleaning up infected systems. Progent then started the steps of recovering Microsoft AD, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without Active Directory, and the businessesí accounting and MRP system utilized Microsoft SQL, which requires Active Directory services for security authorization to the information.
- Active Directory
- Microsoft Exchange
- MRP System
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery of mission critical servers. All Exchange ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Offline Folder Files) on staff desktop computers and laptops to recover mail messages. A not too old off-line backup of the businesses financials/MRP software made it possible to recover these essential programs back available to users. Although a large amount of work was left to recover totally from the Ryuk event, essential services were recovered rapidly:
"For the most part, the production operation was never shut down and we made all customer orders."
Over the following few weeks critical milestones in the recovery project were made in tight collaboration between Progent engineers and the customer:
- In-house web applications were returned to operation without losing any data.
- The MailStore Server exceeding 4 million archived emails was brought on-line and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely recovered.
- A new Palo Alto Networks 850 firewall was installed.
- 90% of the user workstations were being used by staff.
"Much of what transpired that first week is nearly entirely a blur for me, but my management will not soon forget the countless hours each of your team put in to help get our company back. Iíve been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was a life saver."
A probable business-ending disaster was dodged through the efforts of top-tier professionals, a broad range of knowledge, and close teamwork. Although in hindsight the crypto-ransomware penetration detailed here should have been identified and prevented with current cyber security technology and recognized best practices, user education, and appropriate incident response procedures for data backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for letting me get rested after we got through the initial fire. All of you did an incredible job, and if any of your guys is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist