Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses unprepared for an attack. Multiple generations of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as frequent unnamed newcomers, not only encrypt on-line files but also infiltrate many configured system protection. Data synched to cloud environments can also be encrypted. In a poorly designed data protection solution, it can make any restoration impossible and basically knocks the datacenter back to zero.
Recovering applications and data after a ransomware intrusion becomes a sprint against the clock as the victim fights to stop lateral movement and remove the ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to spread, assaults are usually launched on weekends, when attacks tend to take longer to recognize. This multiplies the difficulty of quickly assembling and coordinating a knowledgeable response team.
Progent has a variety of help services for securing Cheyenne organizations from ransomware attacks. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning technology to intelligently detect and extinguish zero-day cyber attacks. Progent also offers the services of expert crypto-ransomware recovery professionals with the track record and perseverance to reconstruct a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to decipher any of your data. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The fallback is to setup from scratch the critical elements of your Information Technology environment. Absent access to full data backups, this calls for a wide range of IT skills, well-coordinated team management, and the willingness to work non-stop until the recovery project is complete.
For twenty years, Progent has offered professional Information Technology services for companies throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise provides Progent the ability to efficiently understand necessary systems and integrate the remaining parts of your network environment following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's recovery group deploys powerful project management tools to coordinate the sophisticated recovery process. Progent understands the importance of working rapidly and in unison with a client's management and Information Technology resources to prioritize tasks and to get key systems back online as soon as humanly possible.
Client Story: A Successful Ransomware Incident Recovery
A business contacted Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state cybercriminals, possibly adopting approaches exposed from the United States National Security Agency. Ryuk goes after specific companies with little or no room for disruption and is among the most lucrative examples of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has about 500 employees. The Ryuk attack had shut down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
"I cannot speak enough about the support Progent gave us during the most stressful period of (our) companyís survival. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and important applications back into operation in less than one week was beyond my wildest dreams. Every single expert I interacted with or communicated with at Progent was amazingly focused on getting us operational and was working all day and night on our behalf."
Progent worked hand in hand the customer to rapidly identify and prioritize the key elements that needed to be addressed in order to restart company functions:
To get going, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the task of rebuilding Windows Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which requires Active Directory services for authentication to the information.
- Windows Active Directory
- Microsoft Exchange
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery of essential applications. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Folder Files) on user PCs in order to recover email messages. A not too old off-line backup of the client's financials/MRP systems made them able to restore these essential applications back available to users. Although a lot of work remained to recover fully from the Ryuk attack, essential systems were recovered quickly:
"For the most part, the production line operation showed little impact and we delivered all customer sales."
Over the following few weeks key milestones in the restoration process were made through tight collaboration between Progent team members and the client:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the desktops and laptops were fully operational.
"So much of what happened in the initial days is nearly entirely a haze for me, but we will not forget the commitment all of the team accomplished to give us our business back. I have been working with Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This event was a life saver."
A possible enterprise-killing disaster was evaded by hard-working experts, a wide range of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware penetration detailed here could have been disabled with up-to-date security systems and recognized best practices, team training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get some sleep after we got past the initial fire. All of you did an amazing job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist