Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to inflict destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus more unnamed viruses, not only do encryption of on-line information but also infect many accessible system backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected system, this can make automated restore operations impossible and basically knocks the datacenter back to zero.
Retrieving programs and information after a ransomware intrusion becomes a sprint against time as the targeted organization fights to contain the damage and clear the ransomware and to resume business-critical activity. Since ransomware takes time to spread, attacks are often launched at night, when successful attacks tend to take more time to notice. This multiplies the difficulty of promptly mobilizing and orchestrating a capable response team.
Progent makes available an assortment of support services for securing Barueri-Alphaville businesses from ransomware attacks. These include team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security appliances with AI capabilities to automatically detect and disable day-zero threats. Progent in addition provides the services of expert ransomware recovery engineers with the talent and commitment to restore a breached environment as soon as possible.
Progent's Ransomware Restoration Help
After a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decrypt all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The fallback is to setup from scratch the essential elements of your Information Technology environment. Without access to essential data backups, this calls for a broad range of IT skills, top notch team management, and the ability to work continuously until the job is finished.
For twenty years, Progent has provided certified expert IT services for businesses across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise provides Progent the capability to efficiently determine important systems and integrate the surviving components of your IT system following a ransomware penetration and configure them into an operational system.
Progent's ransomware team of experts has state-of-the-art project management systems to coordinate the complicated restoration process. Progent knows the urgency of acting quickly and in unison with a client's management and Information Technology resources to prioritize tasks and to put key services back on-line as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Response
A small business contacted Progent after their network was brought down by the Ryuk ransomware. Ryuk is believed to have been created by North Korean state cybercriminals, possibly using approaches exposed from America’s NSA organization. Ryuk targets specific businesses with little tolerance for operational disruption and is among the most lucrative versions of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area with about 500 employees. The Ryuk penetration had disabled all company operations and manufacturing processes. The majority of the client's data backups had been online at the time of the intrusion and were destroyed. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.
"I can’t say enough in regards to the care Progent provided us during the most stressful time of (our) businesses existence. We may have had to pay the cyber criminals if not for the confidence the Progent experts provided us. The fact that you could get our e-mail and production applications back online sooner than five days was incredible. Every single person I talked with or communicated with at Progent was absolutely committed on getting my company operational and was working non-stop on our behalf."
Progent worked together with the client to quickly identify and assign priority to the essential areas that had to be restored to make it possible to restart departmental functions:
To start, Progent followed AV/Malware Processes penetration response best practices by halting lateral movement and disinfecting systems. Progent then initiated the process of recovering Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the client's MRP software utilized Microsoft SQL Server, which depends on Windows AD for security authorization to the databases.
- Active Directory (AD)
- Electronic Messaging
In less than 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then performed setup and hard drive recovery on critical applications. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on staff desktop computers to recover mail data. A recent offline backup of the client's financials/MRP systems made it possible to restore these vital applications back on-line. Although major work still had to be done to recover fully from the Ryuk attack, critical services were recovered quickly:
"For the most part, the production operation ran fairly normal throughout and we made all customer shipments."
Over the next couple of weeks key milestones in the recovery project were accomplished through tight collaboration between Progent consultants and the client:
- Internal web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were completely restored.
- A new Palo Alto 850 firewall was installed and configured.
- Nearly all of the user desktops and notebooks were being used by staff.
"Much of what happened that first week is mostly a fog for me, but my management will not forget the urgency each and every one of you accomplished to give us our business back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A probable company-ending disaster was dodged due to hard-working professionals, a wide spectrum of knowledge, and close teamwork. Although in hindsight the ransomware virus attack detailed here would have been stopped with modern cyber security solutions and recognized best practices, user training, and well thought out security procedures for information protection and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thank you for letting me get some sleep after we got past the initial push. Everyone did an incredible effort, and if any of your guys is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Barueri-Alphaville
For ransomware cleanup expertise in the Barueri-Alphaville metro area, call Progent at 800-462-8800 or go to Contact Progent.