Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes unprepared for an assault. Multiple generations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as daily as yet unnamed newcomers, not only do encryption of on-line critical data but also infect most accessible system backup. Information synchronized to the cloud can also be rendered useless. In a poorly architected environment, this can make automatic recovery hopeless and basically knocks the network back to zero.
Getting back online applications and data following a ransomware outage becomes a race against time as the targeted organization tries its best to contain and cleanup the virus and to resume mission-critical operations. Since ransomware takes time to move laterally, assaults are usually sprung on weekends, when penetrations are likely to take more time to detect. This compounds the difficulty of promptly assembling and organizing a capable mitigation team.
Progent offers an assortment of solutions for securing Fort Collins businesses from ransomware penetrations. Among these are staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning capabilities to quickly identify and disable day-zero cyber attacks. Progent also can provide the services of veteran crypto-ransomware recovery professionals with the track record and perseverance to rebuild a breached environment as urgently as possible.
Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware penetration, sending the ransom in cryptocurrency does not guarantee that cyber criminals will provide the needed keys to decipher any or all of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to re-install the vital components of your Information Technology environment. Absent access to complete information backups, this requires a broad range of skill sets, top notch team management, and the capability to work continuously until the job is complete.
For two decades, Progent has provided expert Information Technology services for companies across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience gives Progent the ability to quickly understand critical systems and re-organize the surviving parts of your network environment after a ransomware event and assemble them into a functioning network.
Progent's recovery team of experts deploys powerful project management applications to coordinate the complex restoration process. Progent understands the importance of working rapidly and in unison with a client's management and IT team members to assign priority to tasks and to get the most important applications back on line as fast as possible.
Business Case Study: A Successful Ransomware Virus Response
A client hired Progent after their company was penetrated by the Ryuk ransomware. Ryuk is believed to have been created by North Korean state criminal gangs, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk attacks specific businesses with little room for disruption and is among the most lucrative iterations of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago and has around 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.
"I cannot tell you enough about the help Progent provided us throughout the most stressful time of (our) businesses life. We may have had to pay the cyber criminals if not for the confidence the Progent experts gave us. That you were able to get our messaging and production applications back into operation sooner than seven days was something I thought impossible. Each expert I spoke to or texted at Progent was laser focused on getting us operational and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly get our arms around and assign priority to the essential services that had to be recovered in order to resume company functions:
To begin, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and disinfecting systems. Progent then began the work of restoring Microsoft AD, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the businessesí accounting and MRP software utilized SQL Server, which needs Active Directory for access to the data.
- Active Directory (AD)
- Electronic Messaging
Within 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery on the most important applications. All Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Email Off-Line Folder Files) on various workstations in order to recover email messages. A recent offline backup of the businesses accounting/MRP software made it possible to return these vital applications back online for users. Although major work still had to be done to recover totally from the Ryuk attack, the most important services were recovered rapidly:
"For the most part, the production manufacturing operation never missed a beat and we delivered all customer shipments."
Throughout the next couple of weeks key milestones in the recovery project were achieved through close collaboration between Progent engineers and the client:
- In-house web applications were brought back up with no loss of data.
- The MailStore Server containing more than 4 million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control capabilities were 100% recovered.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the user workstations were being used by staff.
"A huge amount of what happened during the initial response is mostly a haze for me, but my management will not forget the care each and every one of the team accomplished to give us our company back. I have utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."
A potential business-killing catastrophe was dodged with hard-working experts, a wide range of subject matter expertise, and tight teamwork. Although in post mortem the ransomware attack described here would have been stopped with modern security technology solutions and recognized best practices, user and IT administrator training, and well thought out incident response procedures for backup and proper patching controls, the fact remains that state-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), thanks very much for allowing me to get rested after we got past the initial push. Everyone did an impressive job, and if any of your guys is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist