Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that poses an existential threat for organizations poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with more unnamed viruses, not only do encryption of on-line critical data but also infiltrate all accessible system restores and backups. Data synched to cloud environments can also be ransomed. In a vulnerable system, this can render automatic restore operations impossible and basically sets the network back to zero.
Getting back online applications and data following a ransomware intrusion becomes a sprint against time as the targeted organization tries its best to stop the spread and clear the virus and to restore enterprise-critical activity. Since ransomware takes time to spread, penetrations are usually sprung on weekends and holidays, when successful attacks in many cases take longer to notice. This multiplies the difficulty of rapidly assembling and orchestrating a capable mitigation team.
Progent offers an assortment of services for protecting Schaumburg organizations from ransomware events. These include team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with artificial intelligence capabilities to rapidly detect and quarantine day-zero threats. Progent also provides the assistance of seasoned ransomware recovery engineers with the skills and commitment to restore a breached environment as rapidly as possible.
Progent's Ransomware Restoration Services
After a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to unencrypt all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The other path is to re-install the critical elements of your IT environment. Absent access to essential system backups, this requires a broad range of skill sets, professional project management, and the capability to work non-stop until the task is over.
For decades, Progent has offered professional Information Technology services for businesses across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently ascertain critical systems and re-organize the surviving pieces of your IT system after a ransomware event and rebuild them into a functioning system.
Progent's security team of experts uses top notch project management applications to coordinate the complicated restoration process. Progent knows the urgency of working quickly and in unison with a customerís management and IT staff to prioritize tasks and to put essential applications back on line as fast as humanly possible.
Case Study: A Successful Ransomware Incident Restoration
A small business sought out Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state sponsored hackers, possibly using technology leaked from Americaís National Security Agency. Ryuk seeks specific organizations with limited ability to sustain operational disruption and is one of the most lucrative examples of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago and has around 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's data protection had been online at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (more than $200K) and praying for good luck, but ultimately called Progent.
"I canít speak enough about the help Progent gave us during the most stressful time of (our) businesses survival. We had little choice but to pay the Hackers except for the confidence the Progent group gave us. That you could get our messaging and key servers back into operation quicker than one week was something I thought impossible. Each person I talked with or e-mailed at Progent was urgently focused on getting us back online and was working breakneck pace to bail us out."
Progent worked hand in hand the client to rapidly get our arms around and prioritize the mission critical systems that had to be recovered to make it possible to resume company functions:
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by stopping lateral movement and cleaning up infected systems. Progent then started the task of recovering Microsoft AD, the foundation of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not function without AD, and the businessesí financials and MRP system leveraged Microsoft SQL Server, which needs Windows AD for access to the databases.
- Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery of essential applications. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Offline Data Files) on various workstations in order to recover email information. A recent offline backup of the customerís accounting/ERP software made them able to return these essential applications back available to users. Although a lot of work remained to recover fully from the Ryuk virus, the most important services were recovered rapidly:
"For the most part, the assembly line operation never missed a beat and we produced all customer sales."
Throughout the following month critical milestones in the recovery project were accomplished through close collaboration between Progent consultants and the client:
- Self-hosted web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server with over four million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control modules were 100% operational.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the desktops and laptops were functioning as before the incident.
"So much of what occurred in the early hours is mostly a blur for me, but my team will not forget the commitment each and every one of you accomplished to give us our business back. Iíve been working with Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This event was the most impressive ever."
A probable company-ending catastrophe was dodged by hard-working professionals, a wide array of IT skills, and tight teamwork. Although in retrospect the ransomware virus attack described here would have been identified and disabled with advanced security technology and security best practices, team training, and appropriate incident response procedures for information protection and proper patching controls, the fact is that government-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it over the initial push. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist