Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for organizations vulnerable to an assault. Different versions of crypto-ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict damage. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with additional as yet unnamed viruses, not only encrypt on-line files but also infect any configured system backup. Information synchronized to the cloud can also be ransomed. In a poorly designed system, this can make automatic recovery impossible and effectively knocks the network back to square one.
Recovering services and information after a crypto-ransomware event becomes a sprint against time as the victim tries its best to contain and remove the ransomware and to restore enterprise-critical operations. Because crypto-ransomware takes time to spread, penetrations are often sprung at night, when attacks typically take longer to uncover. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable mitigation team.
Progent offers a range of help services for securing Oklahoma CIty enterprises from ransomware attacks. These include staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with artificial intelligence capabilities to quickly detect and extinguish new threats. Progent also offers the assistance of seasoned crypto-ransomware recovery professionals with the skills and perseverance to restore a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to unencrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The alternative is to piece back together the mission-critical elements of your Information Technology environment. Absent the availability of complete data backups, this requires a wide complement of skills, top notch team management, and the capability to work 24x7 until the recovery project is over.
For twenty years, Progent has provided certified expert Information Technology services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the capability to quickly determine critical systems and consolidate the remaining components of your Information Technology system after a ransomware attack and configure them into a functioning system.
Progent's recovery team of experts uses best of breed project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and IT staff to prioritize tasks and to get essential systems back on-line as soon as possible.
Client Case Study: A Successful Ransomware Virus Response
A customer engaged Progent after their network system was penetrated by Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting technology exposed from Americaís National Security Agency. Ryuk attacks specific businesses with limited ability to sustain disruption and is one of the most profitable examples of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and hoping for the best, but ultimately made the decision to use Progent.
"I cannot thank you enough in regards to the expertise Progent provided us during the most stressful time of (our) businesses life. We had little choice but to pay the criminal gangs if not for the confidence the Progent group afforded us. The fact that you could get our e-mail and critical servers back online quicker than a week was amazing. Every single expert I got help from or communicated with at Progent was laser focused on getting my company operational and was working day and night on our behalf."
Progent worked with the client to rapidly assess and prioritize the most important services that had to be restored in order to restart company operations:
To start, Progent followed ransomware incident mitigation best practices by halting the spread and removing active viruses. Progent then began the work of rebuilding Microsoft AD, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the client's MRP software used SQL Server, which depends on Active Directory services for access to the information.
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then helped perform rebuilding and hard drive recovery on mission critical systems. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Outlook Email Offline Data Files) on staff workstations and laptops in order to recover mail messages. A recent offline backup of the customerís manufacturing software made them able to restore these required applications back available to users. Although major work was left to recover totally from the Ryuk event, essential services were recovered quickly:
"For the most part, the production operation ran fairly normal throughout and we produced all customer deliverables."
During the next few weeks key milestones in the recovery project were achieved in close collaboration between Progent team members and the customer:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were completely restored.
- A new Palo Alto 850 firewall was set up and programmed.
- Most of the desktops and laptops were back into operation.
"So much of what happened in the early hours is mostly a haze for me, but my management will not forget the care each and every one of the team accomplished to give us our business back. Iíve been working together with Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This situation was the most impressive ever."
A possible business disaster was dodged by results-oriented professionals, a wide spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here would have been disabled with modern security solutions and best practices, staff education, and properly executed incident response procedures for information backup and proper patching controls, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thanks very much for allowing me to get rested after we made it over the most critical parts. All of you did an amazing job, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Oklahoma CIty
For ransomware system recovery expertise in the Oklahoma CIty metro area, phone Progent at 800-462-8800 or see Contact Progent.