Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an existential danger for businesses of all sizes poorly prepared for an assault. Versions of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for years and still cause damage. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with daily as yet unnamed newcomers, not only do encryption of on-line critical data but also infiltrate all configured system protection. Data synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, it can render automatic recovery useless and basically knocks the entire system back to zero.
Recovering programs and information following a crypto-ransomware outage becomes a race against time as the targeted business tries its best to stop lateral movement and eradicate the virus and to restore business-critical operations. Since ransomware requires time to spread, penetrations are frequently sprung on weekends, when successful attacks tend to take longer to discover. This compounds the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.
Progent makes available a range of help services for protecting Downers Grove enterprises from ransomware penetrations. These include team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with artificial intelligence technology to intelligently detect and suppress new threats. Progent in addition can provide the services of expert ransomware recovery consultants with the talent and perseverance to reconstruct a compromised system as soon as possible.
Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the codes to unencrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to setup from scratch the critical parts of your IT environment. Absent the availability of essential information backups, this requires a broad range of skills, well-coordinated project management, and the ability to work 24x7 until the task is complete.
For decades, Progent has made available professional Information Technology services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly determine critical systems and consolidate the remaining parts of your network environment following a crypto-ransomware attack and rebuild them into an operational network.
Progent's ransomware team of experts deploys powerful project management applications to coordinate the sophisticated restoration process. Progent understands the importance of acting rapidly and in concert with a client's management and IT staff to prioritize tasks and to get essential systems back on-line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Response
A customer escalated to Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is among the most lucrative examples of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has about 500 staff members. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end utilized Progent.
"I cannot say enough about the expertise Progent provided us throughout the most fearful time of (our) businesses life. We had little choice but to pay the criminal gangs if not for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and key applications back on-line faster than five days was earth shattering. Each expert I interacted with or messaged at Progent was laser focused on getting us back online and was working 24/7 on our behalf."
Progent worked together with the customer to quickly determine and assign priority to the key areas that had to be restored to make it possible to continue departmental operations:
To start, Progent followed Anti-virus penetration response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the process of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the businessesí MRP applications used Microsoft SQL, which needs Active Directory services for access to the database.
- Active Directory
- Microsoft Exchange
In less than 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated rebuilding and storage recovery on key applications. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on various PCs and laptops in order to recover mail messages. A recent off-line backup of the customerís accounting/ERP systems made it possible to restore these required applications back online for users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, core systems were returned to operations rapidly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."
During the following couple of weeks critical milestones in the restoration process were achieved through tight collaboration between Progent team members and the client:
- Internal web applications were returned to operation without losing any data.
- The MailStore Server containing more than 4 million historical emails was restored to operations and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory Control capabilities were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Most of the user PCs were fully operational.
"So much of what was accomplished those first few days is nearly entirely a blur for me, but I will not soon forget the care each and every one of you put in to help get our company back. Iíve been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This time was no exception but maybe more Herculean."
A possible business-ending disaster was averted with top-tier experts, a broad range of IT skills, and close teamwork. Although in hindsight the ransomware penetration detailed here would have been identified and blocked with advanced security technology solutions and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got over the initial push. All of you did an incredible effort, and if any of your team is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist