Crypto-Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an existential danger for businesses vulnerable to an assault. Multiple generations of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus additional as yet unnamed viruses, not only do encryption of on-line data but also infiltrate any available system protection mechanisms. Information synchronized to cloud environments can also be rendered useless. In a poorly architected system, it can make any restore operations impossible and basically sets the datacenter back to zero.
Retrieving services and information after a ransomware attack becomes a race against time as the targeted organization tries its best to contain the damage and remove the virus and to resume mission-critical operations. Because crypto-ransomware requires time to move laterally, assaults are frequently launched during nights and weekends, when penetrations may take more time to identify. This compounds the difficulty of quickly marshalling and organizing a capable mitigation team.
Progent makes available a variety of help services for securing Uberlândia enterprises from ransomware penetrations. Among these are staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security gateways with machine learning technology to rapidly detect and disable day-zero threats. Progent also offers the assistance of veteran ransomware recovery engineers with the track record and perseverance to reconstruct a breached system as urgently as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed codes to decrypt any or all of your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to re-install the essential parts of your Information Technology environment. Absent access to complete information backups, this requires a wide complement of skills, professional project management, and the capability to work non-stop until the task is over.
For two decades, Progent has provided certified expert IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience gives Progent the capability to efficiently ascertain necessary systems and integrate the remaining components of your Information Technology system following a ransomware penetration and rebuild them into an operational network.
Progent's security team of experts utilizes powerful project management systems to orchestrate the complicated recovery process. Progent understands the urgency of working swiftly and in concert with a client's management and Information Technology team members to prioritize tasks and to put critical services back online as soon as humanly possible.
Client Story: A Successful Ransomware Intrusion Response
A small business engaged Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean government sponsored hackers, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk goes after specific organizations with limited ability to sustain operational disruption and is among the most lucrative instances of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I cannot tell you enough about the expertise Progent provided us during the most fearful time of (our) company’s life. We had little choice but to pay the criminal gangs except for the confidence the Progent group afforded us. The fact that you were able to get our messaging and important applications back into operation in less than one week was earth shattering. Every single expert I got help from or messaged at Progent was totally committed on getting our system up and was working 24 by 7 to bail us out."
Progent worked together with the customer to quickly assess and assign priority to the mission critical services that needed to be recovered to make it possible to restart departmental functions:
To start, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and disinfecting systems. Progent then began the task of recovering Microsoft AD, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the client's MRP system used SQL Server, which requires Active Directory services for access to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then initiated setup and hard drive recovery on needed systems. All Exchange schema and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to find intact OST data files (Outlook Offline Data Files) on staff PCs and laptops to recover email information. A not too old off-line backup of the businesses financials/MRP systems made it possible to return these essential applications back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, the most important services were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we delivered all customer sales."
Over the following couple of weeks important milestones in the recovery project were achieved through close collaboration between Progent consultants and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Exchange Server exceeding 4 million archived messages was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the desktops and laptops were operational.
"So much of what transpired in the early hours is nearly entirely a fog for me, but my management will not forget the dedication each of your team accomplished to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."
A possible enterprise-killing disaster was averted due to top-tier professionals, a broad range of technical expertise, and close collaboration. Although in retrospect the ransomware attack described here would have been identified and prevented with current cyber security technology and security best practices, staff education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), I’m grateful for letting me get some sleep after we got over the initial push. All of you did an impressive effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Uberlândia
For ransomware system restoration consulting services in the Uberlândia area, call Progent at 800-462-8800 or go to Contact Progent.