Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Versions of ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause harm. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with daily unnamed malware, not only encrypt on-line files but also infect many available system backups. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can render automatic restoration hopeless and basically sets the datacenter back to square one.
Getting back applications and data after a ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and cleanup the crypto-ransomware and to resume enterprise-critical operations. Because ransomware takes time to spread, penetrations are usually launched at night, when penetrations tend to take longer to notice. This compounds the difficulty of rapidly mobilizing and coordinating an experienced mitigation team.
Progent makes available a variety of solutions for protecting Yonkers organizations from ransomware attacks. Among these are staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with AI capabilities to rapidly identify and quarantine day-zero threats. Progent in addition can provide the assistance of veteran crypto-ransomware recovery professionals with the skills and commitment to reconstruct a breached network as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the codes to decrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to piece back together the vital components of your IT environment. Without the availability of full system backups, this requires a broad complement of IT skills, top notch project management, and the willingness to work non-stop until the task is over.
For two decades, Progent has offered expert Information Technology services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of experience affords Progent the ability to efficiently ascertain critical systems and integrate the remaining pieces of your Information Technology environment after a ransomware penetration and assemble them into an operational system.
Progent's security team of experts deploys top notch project management systems to coordinate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and IT staff to assign priority to tasks and to put essential systems back on line as soon as possible.
Client Story: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state cybercriminals, possibly adopting strategies exposed from the United States National Security Agency. Ryuk goes after specific businesses with little room for operational disruption and is one of the most profitable iterations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200,000) and hoping for the best, but in the end engaged Progent.
"I canít speak enough about the care Progent provided us during the most stressful time of (our) companyís survival. We would have paid the cyber criminals except for the confidence the Progent team provided us. The fact that you could get our messaging and essential servers back into operation sooner than seven days was incredible. Each staff member I talked with or messaged at Progent was absolutely committed on getting us operational and was working breakneck pace to bail us out."
Progent worked with the customer to quickly assess and prioritize the critical applications that needed to be addressed in order to continue business functions:
To get going, Progent followed Anti-virus penetration response industry best practices by halting the spread and performing virus removal steps. Progent then initiated the steps of bringing back online Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the businessesí financials and MRP applications leveraged Microsoft SQL Server, which requires Windows AD for authentication to the data.
- Windows Active Directory
- Microsoft Exchange
Within 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then assisted with reinstallations and storage recovery of critical servers. All Exchange ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Offline Data Files) on team PCs to recover email data. A recent offline backup of the businesses manufacturing systems made it possible to return these required applications back online for users. Although major work still had to be done to recover totally from the Ryuk virus, critical services were returned to operations quickly:
"For the most part, the production operation survived unscathed and we did not miss any customer shipments."
Over the next few weeks key milestones in the restoration process were completed through close collaboration between Progent team members and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory Control functions were completely functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the user workstations were operational.
"A huge amount of what was accomplished during the initial response is nearly entirely a blur for me, but we will not soon forget the dedication each of the team accomplished to give us our company back. Iíve been working together with Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This time was no exception but maybe more Herculean."
A possible business extinction disaster was avoided through the efforts of dedicated professionals, a wide spectrum of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware attack detailed here would have been blocked with up-to-date security systems and best practices, team training, and well designed security procedures for information backup and proper patching controls, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for letting me get some sleep after we made it past the initial fire. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist