Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses unprepared for an attack. Different versions of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and still cause havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, along with frequent as yet unnamed malware, not only encrypt online files but also infiltrate most accessible system backups. Files replicated to cloud environments can also be ransomed. In a poorly designed environment, it can render automatic restore operations useless and effectively knocks the datacenter back to square one.
Restoring applications and information after a ransomware attack becomes a race against the clock as the victim fights to contain and remove the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware takes time to replicate, attacks are frequently sprung on weekends, when successful penetrations tend to take more time to uncover. This multiplies the difficulty of promptly assembling and orchestrating a qualified mitigation team.
Progent makes available a variety of services for protecting Omaha businesses from ransomware attacks. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning technology to quickly discover and suppress zero-day threats. Progent in addition provides the assistance of veteran ransomware recovery professionals with the talent and perseverance to restore a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the codes to decrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The fallback is to piece back together the critical parts of your IT environment. Absent the availability of full system backups, this calls for a wide complement of IT skills, professional project management, and the willingness to work continuously until the recovery project is completed.
For twenty years, Progent has offered expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience gives Progent the skills to rapidly identify critical systems and consolidate the remaining components of your IT environment after a ransomware event and rebuild them into a functioning network.
Progent's ransomware team of experts utilizes state-of-the-art project management tools to coordinate the complicated restoration process. Progent appreciates the importance of acting swiftly and in unison with a client's management and IT team members to prioritize tasks and to put critical systems back on-line as fast as humanly possible.
Case Study: A Successful Ransomware Penetration Restoration
A customer contacted Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, possibly adopting algorithms exposed from the United States NSA organization. Ryuk targets specific companies with limited tolerance for operational disruption and is among the most lucrative instances of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago and has about 500 workers. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. The majority of the client's backups had been online at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and hoping for the best, but ultimately engaged Progent.
"I canít speak enough in regards to the care Progent provided us during the most stressful time of (our) companyís existence. We would have paid the criminal gangs if not for the confidence the Progent team provided us. That you could get our e-mail and essential servers back on-line faster than five days was amazing. Every single consultant I got help from or e-mailed at Progent was totally committed on getting us working again and was working 24 by 7 to bail us out."
Progent worked with the client to rapidly identify and prioritize the key services that needed to be restored to make it possible to continue departmental operations:
To start, Progent adhered to ransomware penetration response best practices by stopping the spread and disinfecting systems. Progent then started the work of rebuilding Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the customerís financials and MRP system used Microsoft SQL Server, which needs Active Directory services for security authorization to the information.
- Microsoft Active Directory
- Microsoft Exchange Email
- MRP System
Within 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery of the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Folder Files) on team workstations in order to recover mail messages. A recent offline backup of the client's accounting/ERP systems made them able to restore these vital services back on-line. Although significant work needed to be completed to recover totally from the Ryuk attack, essential services were returned to operations rapidly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer orders."
Over the next few weeks important milestones in the recovery process were accomplished in tight collaboration between Progent team members and the client:
- Internal web sites were returned to operation with no loss of data.
- The MailStore Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the user PCs were operational.
"A huge amount of what transpired in the initial days is nearly entirely a fog for me, but my team will not forget the countless hours each of the team accomplished to give us our company back. I have been working together with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."
A likely business-killing catastrophe was dodged due to hard-working professionals, a wide range of technical expertise, and close teamwork. Although in post mortem the crypto-ransomware virus attack detailed here would have been blocked with up-to-date cyber security technology and recognized best practices, team training, and well designed security procedures for data backup and applying software patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thank you for letting me get rested after we made it over the most critical parts. Everyone did an fabulous effort, and if any of your team is around the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist