Crypto-Ransomware : Your Feared IT Disaster
Ransomware has become a modern cyber pandemic that presents an existential threat for organizations vulnerable to an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, as well as additional unnamed viruses, not only do encryption of on-line data but also infect most configured system restores and backups. Data synched to the cloud can also be corrupted. In a vulnerable system, it can make automated restoration useless and basically knocks the datacenter back to zero.
Getting back on-line programs and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to contain and remove the virus and to resume enterprise-critical activity. Due to the fact that ransomware needs time to replicate, attacks are frequently sprung during nights and weekends, when attacks are likely to take longer to identify. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced mitigation team.
Progent has a variety of solutions for securing Uberlândia enterprises from ransomware events. Among these are team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with machine learning technology to rapidly discover and disable day-zero threats. Progent in addition can provide the services of experienced crypto-ransomware recovery professionals with the skills and commitment to rebuild a compromised network as urgently as possible.
Progent's Ransomware Recovery Support Services
Following a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the codes to decipher any of your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to piece back together the vital components of your Information Technology environment. Absent access to essential data backups, this calls for a broad range of skills, professional team management, and the willingness to work non-stop until the task is finished.
For decades, Progent has made available expert IT services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise provides Progent the skills to quickly determine important systems and consolidate the remaining pieces of your computer network system after a ransomware attack and rebuild them into a functioning system.
Progent's ransomware group utilizes state-of-the-art project management applications to orchestrate the complex recovery process. Progent appreciates the importance of acting swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to put key services back online as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Attack Response
A customer escalated to Progent after their network was crashed by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting technology leaked from the U.S. NSA organization. Ryuk seeks specific organizations with limited ability to sustain disruption and is one of the most lucrative iterations of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and praying for the best, but in the end engaged Progent.
"I can’t tell you enough about the expertise Progent gave us throughout the most fearful time of (our) company’s existence. We would have paid the cyber criminals if it wasn’t for the confidence the Progent group provided us. That you could get our e-mail system and important servers back on-line faster than five days was incredible. Every single person I spoke to or e-mailed at Progent was laser focused on getting us restored and was working all day and night to bail us out."
Progent worked hand in hand the customer to rapidly determine and prioritize the essential services that had to be recovered to make it possible to restart business functions:
To begin, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and performing virus removal steps. Progent then started the work of recovering Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the customer’s accounting and MRP system leveraged Microsoft SQL Server, which needs Windows AD for security authorization to the data.
- Active Directory
- Electronic Messaging
In less than two days, Progent was able to restore Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery of needed systems. All Exchange data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Off-Line Data Files) on staff PCs to recover email messages. A recent off-line backup of the businesses accounting/MRP software made it possible to recover these vital applications back online for users. Although a large amount of work still had to be done to recover totally from the Ryuk event, core systems were returned to operations quickly:
"For the most part, the production manufacturing operation survived unscathed and we produced all customer sales."
Throughout the following month important milestones in the recovery process were accomplished through tight cooperation between Progent consultants and the client:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% recovered.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the desktops and laptops were back into operation.
"Much of what happened that first week is nearly entirely a fog for me, but I will not soon forget the countless hours each of you accomplished to help get our company back. I have entrusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This situation was a Herculean accomplishment."
A potential business disaster was avoided through the efforts of top-tier professionals, a broad range of IT skills, and close teamwork. Although in retrospect the crypto-ransomware penetration described here could have been stopped with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I’m grateful for making it so I could get rested after we got over the most critical parts. Everyone did an amazing job, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist