Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses vulnerable to an assault. Multiple generations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus frequent unnamed newcomers, not only do encryption of online critical data but also infect any accessible system backups. Files synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, it can make automatic restoration useless and basically sets the datacenter back to square one.
Getting back on-line services and information after a ransomware event becomes a race against time as the victim fights to stop the spread and clear the ransomware and to resume business-critical activity. Because crypto-ransomware requires time to spread, penetrations are often launched during nights and weekends, when successful penetrations tend to take more time to recognize. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.
Progent makes available an assortment of support services for protecting Los Angeles enterprises from ransomware attacks. Among these are staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with artificial intelligence capabilities to rapidly discover and quarantine new cyber threats. Progent also offers the assistance of expert ransomware recovery professionals with the skills and perseverance to re-deploy a compromised network as rapidly as possible.
Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The alternative is to re-install the mission-critical components of your Information Technology environment. Without access to complete information backups, this calls for a broad range of skill sets, professional team management, and the ability to work 24x7 until the recovery project is finished.
For twenty years, Progent has offered expert Information Technology services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise gives Progent the capability to quickly ascertain necessary systems and integrate the surviving components of your IT system following a crypto-ransomware event and assemble them into a functioning system.
Progent's security group has powerful project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of acting quickly and in unison with a client's management and IT staff to prioritize tasks and to put the most important systems back on line as fast as possible.
Case Study: A Successful Ransomware Attack Recovery
A small business contacted Progent after their network was taken over by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, possibly adopting technology exposed from the United States National Security Agency. Ryuk seeks specific companies with little or no tolerance for operational disruption and is one of the most lucrative iterations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with around 500 staff members. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but ultimately utilized Progent.
"I cannot speak enough in regards to the expertise Progent gave us during the most stressful period of (our) businesses survival. We would have paid the criminal gangs except for the confidence the Progent team provided us. The fact that you could get our e-mail system and key applications back sooner than one week was amazing. Each consultant I interacted with or e-mailed at Progent was hell bent on getting us back online and was working 24 by 7 to bail us out."
Progent worked with the client to rapidly understand and prioritize the most important services that had to be recovered in order to continue business operations:
To begin, Progent adhered to AV/Malware Processes incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the process of bringing back online Microsoft AD, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without Windows AD, and the businessesí accounting and MRP software utilized Microsoft SQL Server, which requires Active Directory services for security authorization to the data.
- Microsoft Active Directory
- Electronic Messaging
Within 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then completed setup and hard drive recovery of essential applications. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Off-Line Folder Files) on team PCs to recover mail information. A not too old off-line backup of the businesses financials/MRP systems made it possible to restore these essential programs back on-line. Although a lot of work needed to be completed to recover fully from the Ryuk event, the most important services were recovered rapidly:
"For the most part, the assembly line operation did not miss a beat and we produced all customer deliverables."
During the next month important milestones in the restoration process were completed in close collaboration between Progent team members and the customer:
- Self-hosted web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were 100 percent functional.
- A new Palo Alto 850 firewall was brought on-line.
- Most of the user workstations were being used by staff.
"A huge amount of what happened in the early hours is nearly entirely a fog for me, but I will not soon forget the countless hours each of your team put in to help get our company back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was a Herculean accomplishment."
A probable business extinction catastrophe was dodged due to results-oriented experts, a wide spectrum of knowledge, and close teamwork. Although in retrospect the ransomware penetration described here should have been prevented with modern cyber security systems and ISO/IEC 27001 best practices, user training, and well designed security procedures for data backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for allowing me to get some sleep after we got through the initial push. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist