Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a modern cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an attack. Different versions of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, along with daily as yet unnamed newcomers, not only do encryption of online information but also infect many accessible system restores and backups. Files synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can render automated restoration hopeless and effectively sets the entire system back to square one.
Recovering programs and information after a ransomware outage becomes a sprint against time as the targeted business tries its best to contain the damage and eradicate the ransomware and to resume mission-critical operations. Since ransomware needs time to move laterally, assaults are usually launched during weekends and nights, when successful attacks tend to take longer to identify. This multiplies the difficulty of promptly marshalling and organizing a capable mitigation team.
Progent provides an assortment of services for protecting Mesa organizations from ransomware events. Among these are user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security solutions with machine learning capabilities to intelligently identify and disable zero-day cyber attacks. Progent also provides the assistance of expert ransomware recovery professionals with the skills and perseverance to restore a compromised environment as quickly as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt all your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The alternative is to re-install the mission-critical elements of your IT environment. Without access to complete system backups, this calls for a wide complement of skill sets, top notch project management, and the capability to work continuously until the task is complete.
For two decades, Progent has offered expert Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise provides Progent the ability to knowledgably ascertain necessary systems and integrate the surviving components of your computer network system after a crypto-ransomware event and assemble them into a functioning system.
Progent's security team has top notch project management tools to orchestrate the complex recovery process. Progent understands the urgency of acting swiftly and in concert with a client's management and IT team members to assign priority to tasks and to get essential services back on-line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Virus Restoration
A client escalated to Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean state cybercriminals, possibly adopting approaches leaked from the U.S. NSA organization. Ryuk goes after specific companies with little room for operational disruption and is one of the most lucrative instances of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with around 500 employees. The Ryuk event had disabled all essential operations and manufacturing processes. Most of the client's backups had been on-line at the start of the attack and were encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.
"I cannot thank you enough in regards to the help Progent gave us throughout the most fearful period of (our) businesses existence. We would have paid the criminal gangs except for the confidence the Progent group afforded us. The fact that you could get our e-mail system and important applications back on-line in less than one week was amazing. Each consultant I talked with or communicated with at Progent was totally committed on getting us restored and was working all day and night on our behalf."
Progent worked together with the client to quickly understand and prioritize the essential applications that had to be addressed in order to restart business functions:
To get going, Progent followed Anti-virus penetration mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then began the process of bringing back online Windows Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businessesí financials and MRP software leveraged SQL Server, which needs Active Directory services for access to the databases.
- Windows Active Directory
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then assisted with rebuilding and storage recovery on needed servers. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to find local OST files (Outlook Email Off-Line Data Files) on staff PCs in order to recover mail information. A not too old offline backup of the businesses financials/ERP software made it possible to recover these required applications back available to users. Although significant work still had to be done to recover fully from the Ryuk event, essential services were recovered rapidly:
"For the most part, the manufacturing operation survived unscathed and we made all customer sales."
Over the following month critical milestones in the restoration project were achieved through close cooperation between Progent consultants and the client:
- In-house web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory Control capabilities were fully operational.
- A new Palo Alto Networks 850 firewall was set up.
- Ninety percent of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what went on in the initial days is mostly a haze for me, but I will not forget the care each of your team accomplished to give us our business back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."
A potential business-ending disaster was evaded with hard-working experts, a wide array of subject matter expertise, and close teamwork. Although in retrospect the crypto-ransomware penetration detailed here would have been identified and disabled with advanced security systems and security best practices, user education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get rested after we made it through the initial push. All of you did an fabulous job, and if any of your team is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist