Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyberplague that represents an existential danger for organizations unprepared for an attack. Multiple generations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still inflict damage. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line files but also infiltrate all available system restores and backups. Information replicated to cloud environments can also be rendered useless. In a poorly architected system, this can render any recovery impossible and basically sets the network back to square one.
Getting back online services and data after a ransomware intrusion becomes a race against the clock as the targeted organization fights to stop lateral movement and cleanup the virus and to resume business-critical activity. Because ransomware needs time to move laterally, penetrations are frequently sprung at night, when attacks in many cases take longer to notice. This multiplies the difficulty of quickly mobilizing and orchestrating a knowledgeable mitigation team.
Progent offers a range of services for protecting Alexandria enterprises from ransomware events. These include team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security solutions with machine learning technology to quickly discover and extinguish new cyber attacks. Progent also can provide the services of experienced ransomware recovery engineers with the skills and perseverance to rebuild a compromised network as soon as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the keys to decrypt any or all of your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to setup from scratch the critical components of your IT environment. Absent the availability of full system backups, this calls for a broad complement of skill sets, top notch team management, and the capability to work continuously until the task is complete.
For two decades, Progent has offered expert IT services for companies across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the ability to rapidly ascertain critical systems and integrate the remaining pieces of your network system following a crypto-ransomware attack and configure them into a functioning system.
Progent's ransomware team of experts uses state-of-the-art project management tools to coordinate the complex restoration process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT staff to prioritize tasks and to put critical systems back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business contacted Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, suspected of adopting algorithms exposed from Americaís NSA organization. Ryuk seeks specific businesses with little or no tolerance for disruption and is one of the most lucrative incarnations of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago and has about 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been online at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200K) and hoping for the best, but in the end brought in Progent.
"I cannot say enough about the support Progent provided us throughout the most fearful period of (our) companyís survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent experts provided us. The fact that you could get our e-mail system and production applications back into operation faster than one week was something I thought impossible. Each staff member I got help from or messaged at Progent was urgently focused on getting our system up and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the critical systems that had to be restored to make it possible to resume departmental functions:
To start, Progent adhered to Anti-virus incident mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the steps of restoring Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not operate without Windows AD, and the businessesí accounting and MRP software used Microsoft SQL, which requires Active Directory services for authentication to the databases.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and hard drive recovery on critical applications. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on user workstations to recover mail data. A not too old offline backup of the customerís accounting/ERP software made it possible to return these essential services back online for users. Although a large amount of work remained to recover completely from the Ryuk event, core systems were restored rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."
Over the next few weeks key milestones in the restoration process were made in close cooperation between Progent consultants and the customer:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Exchange Server containing more than four million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory modules were 100% operational.
- A new Palo Alto 850 security appliance was brought on-line.
- Most of the desktops and laptops were being used by staff.
"A lot of what went on those first few days is nearly entirely a fog for me, but my management will not forget the dedication each of you put in to give us our company back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."
A likely enterprise-killing disaster was averted by results-oriented professionals, a wide range of knowledge, and tight teamwork. Although in retrospect the ransomware attack described here would have been prevented with current cyber security technology solutions and best practices, user training, and appropriate security procedures for information backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for letting me get some sleep after we made it over the initial push. All of you did an incredible job, and if anyone is in the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Alexandria
For ransomware system recovery expertise in the Alexandria area, call Progent at 800-462-8800 or go to Contact Progent.