Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyberplague that represents an existential danger for organizations poorly prepared for an assault. Versions of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still cause harm. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with more as yet unnamed malware, not only encrypt on-line files but also infiltrate most available system protection. Files synchronized to the cloud can also be encrypted. In a poorly architected environment, this can make automated restore operations impossible and effectively sets the entire system back to square one.
Retrieving services and data after a ransomware outage becomes a race against the clock as the victim tries its best to contain the damage and remove the crypto-ransomware and to restore mission-critical operations. Because ransomware takes time to replicate, attacks are frequently launched on weekends and holidays, when successful attacks typically take more time to discover. This compounds the difficulty of rapidly assembling and organizing an experienced mitigation team.
Progent makes available an assortment of solutions for protecting Oklahoma CIty organizations from ransomware attacks. Among these are team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with AI technology to intelligently discover and extinguish zero-day cyber attacks. Progent in addition offers the services of experienced ransomware recovery professionals with the track record and commitment to re-deploy a breached network as rapidly as possible.
Progent's Ransomware Restoration Services
After a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the codes to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The alternative is to re-install the essential components of your IT environment. Without access to essential information backups, this calls for a broad range of IT skills, professional team management, and the willingness to work continuously until the recovery project is done.
For twenty years, Progent has made available certified expert IT services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience provides Progent the skills to efficiently understand important systems and organize the surviving pieces of your IT system following a ransomware event and assemble them into a functioning network.
Progent's ransomware team utilizes state-of-the-art project management tools to coordinate the complicated recovery process. Progent appreciates the importance of acting quickly and together with a client's management and IT staff to assign priority to tasks and to get essential applications back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Attack Response
A small business engaged Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk attacks specific companies with limited tolerance for disruption and is one of the most profitable examples of ransomware malware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area with around 500 staff members. The Ryuk attack had shut down all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but ultimately made the decision to use Progent.
"I canít tell you enough in regards to the support Progent provided us during the most fearful period of (our) businesses survival. We would have paid the hackers behind this attack if not for the confidence the Progent team gave us. That you could get our e-mail system and important servers back on-line in less than a week was incredible. Every single staff member I got help from or communicated with at Progent was hell bent on getting our company operational and was working at all hours to bail us out."
Progent worked together with the client to rapidly get our arms around and assign priority to the key elements that had to be recovered in order to continue company functions:
To start, Progent adhered to ransomware incident response industry best practices by isolating and performing virus removal steps. Progent then began the work of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Exchange email will not operate without AD, and the client's MRP applications leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the database.
- Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery of essential applications. All Exchange schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Offline Data Files) on various desktop computers to recover mail data. A not too old off-line backup of the businesses accounting/MRP software made it possible to return these required programs back online. Although a lot of work was left to recover totally from the Ryuk virus, core services were recovered rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer shipments."
During the next month critical milestones in the recovery project were accomplished through close collaboration between Progent engineers and the client:
- Self-hosted web sites were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent operational.
- A new Palo Alto Networks 850 firewall was brought online.
- Nearly all of the user workstations were fully operational.
"A huge amount of what happened in the early hours is nearly entirely a blur for me, but we will not soon forget the countless hours each and every one of your team accomplished to give us our company back. I have been working together with Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."
A likely business-ending catastrophe was dodged by top-tier professionals, a wide range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident detailed here would have been disabled with up-to-date security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well thought out security procedures for information backup and proper patching controls, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get some sleep after we made it over the most critical parts. All of you did an amazing effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist