Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with more as yet unnamed newcomers, not only encrypt on-line critical data but also infect many configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can render any restoration impossible and basically knocks the datacenter back to zero.
Recovering applications and information after a crypto-ransomware intrusion becomes a race against time as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to resume enterprise-critical operations. Since ransomware requires time to replicate, penetrations are frequently sprung during nights and weekends, when successful penetrations tend to take more time to discover. This compounds the difficulty of quickly marshalling and organizing a qualified response team.
Progent provides an assortment of solutions for securing The Woodlands organizations from ransomware penetrations. These include staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security solutions with artificial intelligence technology to intelligently discover and disable zero-day cyber attacks. Progent in addition provides the assistance of expert ransomware recovery professionals with the talent and commitment to restore a breached network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will return the keys to decipher all your files. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to re-install the critical elements of your IT environment. Absent the availability of essential data backups, this calls for a broad complement of skill sets, top notch project management, and the ability to work continuously until the recovery project is finished.
For two decades, Progent has made available professional IT services for businesses throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to efficiently determine critical systems and integrate the remaining components of your computer network system after a crypto-ransomware event and rebuild them into an operational system.
Progent's ransomware team has powerful project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of working swiftly and in unison with a customerís management and IT staff to prioritize tasks and to put critical services back online as soon as possible.
Business Case Study: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting algorithms exposed from Americaís National Security Agency. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most lucrative iterations of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has around 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and hoping for good luck, but in the end reached out to Progent.
"I canít thank you enough about the expertise Progent provided us throughout the most stressful period of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and production servers back faster than one week was beyond my wildest dreams. Each expert I got help from or e-mailed at Progent was urgently focused on getting my company operational and was working at all hours on our behalf."
Progent worked together with the client to quickly get our arms around and assign priority to the most important services that had to be restored to make it possible to restart company functions:
To begin, Progent adhered to Anti-virus incident response best practices by halting the spread and clearing up compromised systems. Progent then started the process of bringing back online Active Directory, the core of enterprise systems built on Microsoft technology. Exchange email will not operate without Active Directory, and the client's financials and MRP software leveraged SQL Server, which needs Active Directory for authentication to the information.
- Active Directory
- Electronic Messaging
In less than two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on critical applications. All Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Offline Data Files) on various PCs to recover mail messages. A recent offline backup of the client's accounting software made it possible to return these required applications back online. Although a lot of work remained to recover completely from the Ryuk attack, critical systems were returned to operations quickly:
"For the most part, the production operation did not miss a beat and we did not miss any customer orders."
During the next couple of weeks important milestones in the restoration project were accomplished through tight cooperation between Progent team members and the customer:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Exchange Server exceeding 4 million historical emails was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory functions were 100% functional.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Nearly all of the user workstations were fully operational.
"Much of what was accomplished in the early hours is nearly entirely a fog for me, but my team will not soon forget the care each and every one of your team put in to help get our company back. Iíve been working with Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This event was a life saver."
A potential business disaster was averted through the efforts of dedicated professionals, a broad spectrum of IT skills, and close teamwork. Although in hindsight the ransomware penetration described here would have been prevented with current cyber security systems and recognized best practices, staff training, and properly executed security procedures for information protection and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thank you for allowing me to get rested after we made it over the initial push. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, dinner is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in The Woodlands
For ransomware recovery expertise in the The Woodlands metro area, phone Progent at 800-462-8800 or see Contact Progent.