Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an existential threat for organizations vulnerable to an assault. Multiple generations of ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still cause harm. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as additional unnamed viruses, not only encrypt online files but also infect any available system backups. Files synched to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, this can make automatic recovery hopeless and effectively sets the datacenter back to square one.
Restoring applications and information after a ransomware outage becomes a race against the clock as the victim tries its best to stop the spread and eradicate the ransomware and to restore business-critical activity. Because ransomware needs time to spread, assaults are frequently sprung on weekends and holidays, when attacks tend to take more time to recognize. This multiplies the difficulty of quickly marshalling and orchestrating a capable response team.
Progent offers an assortment of solutions for securing Omaha organizations from crypto-ransomware attacks. These include team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with AI technology to intelligently detect and quarantine day-zero cyber attacks. Progent in addition can provide the assistance of expert crypto-ransomware recovery consultants with the talent and commitment to re-deploy a compromised system as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the needed codes to decipher any or all of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The fallback is to re-install the vital components of your IT environment. Without the availability of full data backups, this calls for a broad range of skill sets, professional project management, and the willingness to work non-stop until the job is complete.
For twenty years, Progent has made available professional IT services for businesses across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to quickly identify important systems and re-organize the remaining pieces of your Information Technology system after a ransomware event and assemble them into an operational system.
Progent's ransomware group uses powerful project management tools to orchestrate the complex restoration process. Progent understands the urgency of acting quickly and together with a client's management and IT team members to assign priority to tasks and to put key services back online as soon as humanly possible.
Customer Story: A Successful Ransomware Penetration Response
A business sought out Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, possibly using technology leaked from America's National Security Agency. Ryuk attacks specific organizations with limited tolerance for operational disruption and is one of the most profitable versions of ransomware viruses. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area with around 500 staff members. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.
"I cannot tell you enough in regards to the support Progent provided us throughout the most fearful period of (our) company's survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts gave us. That you were able to get our e-mail and production applications back on-line in less than 1 week was earth shattering. Each staff member I worked with or communicated with at Progent was urgently focused on getting us back on-line and was working day and night on our behalf."
Progent worked hand in hand the customer to quickly understand and assign priority to the key systems that needed to be addressed in order to resume company operations:
To get going, Progent followed Anti-virus incident response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the work of rebuilding Active Directory, the core of enterprise environments built upon Microsoft technology. Exchange messaging will not operate without AD, and the client's MRP system used Microsoft SQL, which needs Windows AD for security authorization to the information.
- Active Directory (AD)
- Electronic Mail
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of mission critical applications. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Folder Files) on user PCs in order to recover mail data. A recent offline backup of the client's accounting/MRP systems made it possible to restore these required applications back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, the most important services were returned to operations rapidly:
"For the most part, the production operation did not miss a beat and we did not miss any customer sales."
Throughout the next month key milestones in the restoration project were made in tight collaboration between Progent consultants and the client:
- Internal web sites were restored without losing any information.
- The MailStore Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control modules were fully restored.
- A new Palo Alto 850 firewall was deployed.
- Most of the user workstations were fully operational.
"A lot of what occurred in the early hours is mostly a fog for me, but my team will not forget the countless hours each of the team put in to give us our business back. I have entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This event was a life saver."
A likely business-ending disaster was dodged due to top-tier experts, a wide array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus incident described here could have been identified and stopped with current security solutions and best practices, team training, and well thought out security procedures for backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for letting me get rested after we got over the most critical parts. All of you did an incredible effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Omaha
For ransomware recovery expertise in the Omaha area, call Progent at 800-462-8800 or go to Contact Progent.