Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an existential danger for businesses of all sizes vulnerable to an assault. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause damage. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus more as yet unnamed viruses, not only do encryption of on-line critical data but also infect any configured system restores and backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can make automated restore operations impossible and effectively sets the entire system back to zero.
Getting back on-line applications and data following a crypto-ransomware intrusion becomes a race against time as the targeted business fights to contain and cleanup the virus and to resume enterprise-critical operations. Because ransomware takes time to replicate, attacks are often sprung during weekends and nights, when successful attacks are likely to take longer to notice. This multiplies the difficulty of promptly mobilizing and orchestrating a capable response team.
Progent has an assortment of services for securing Fort Wayne businesses from ransomware attacks. Among these are user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with AI technology to rapidly detect and disable new threats. Progent also offers the services of expert ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as urgently as possible.
Progent's Ransomware Recovery Support Services
After a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the codes to decipher any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The other path is to setup from scratch the essential components of your Information Technology environment. Absent the availability of complete data backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work continuously until the task is completed.
For twenty years, Progent has made available certified expert IT services for companies throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise gives Progent the skills to efficiently identify critical systems and integrate the surviving parts of your Information Technology environment following a ransomware attack and configure them into a functioning system.
Progent's recovery team of experts utilizes powerful project management applications to coordinate the complex recovery process. Progent understands the importance of working quickly and together with a client's management and Information Technology team members to prioritize tasks and to get essential systems back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer hired Progent after their company was crashed by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, possibly using technology exposed from the U.S. NSA organization. Ryuk targets specific companies with little ability to sustain disruption and is among the most profitable iterations of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago and has about 500 workers. The Ryuk intrusion had brought down all company operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and hoping for the best, but ultimately brought in Progent.
"I canít thank you enough about the support Progent provided us throughout the most critical period of (our) businesses life. We would have paid the hackers behind this attack except for the confidence the Progent group provided us. That you were able to get our e-mail and essential servers back on-line sooner than five days was incredible. Every single person I got help from or texted at Progent was urgently focused on getting us back online and was working 24/7 to bail us out."
Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the critical applications that had to be recovered to make it possible to restart departmental functions:
To get going, Progent adhered to ransomware penetration response industry best practices by isolating and performing virus removal steps. Progent then began the work of bringing back online Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the customerís financials and MRP applications utilized Microsoft SQL, which needs Windows AD for security authorization to the databases.
- Windows Active Directory
Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery on mission critical systems. All Microsoft Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Offline Folder Files) on team PCs to recover email messages. A not too old offline backup of the businesses manufacturing systems made it possible to restore these vital programs back on-line. Although significant work was left to recover completely from the Ryuk attack, the most important services were returned to operations quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we made all customer deliverables."
During the following couple of weeks important milestones in the restoration project were made in tight cooperation between Progent consultants and the customer:
- In-house web sites were restored with no loss of data.
- The MailStore Exchange Server containing more than four million historical messages was restored to operations and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully restored.
- A new Palo Alto Networks 850 security appliance was deployed.
- 90% of the user desktops and notebooks were operational.
"So much of what went on during the initial response is nearly entirely a haze for me, but our team will not forget the countless hours each of the team put in to help get our business back. Iíve been working with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This event was a life saver."
A probable business-killing catastrophe was dodged due to results-oriented experts, a wide range of knowledge, and tight collaboration. Although in retrospect the ransomware virus incident detailed here could have been identified and blocked with advanced security technology and NIST Cybersecurity Framework best practices, team training, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), Iím grateful for allowing me to get some sleep after we made it through the most critical parts. All of you did an fabulous job, and if any of your team is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist