Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as additional unnamed viruses, not only encrypt online data files but also infect many configured system backup. Information synchronized to cloud environments can also be ransomed. In a vulnerable data protection solution, it can render automatic recovery hopeless and basically sets the entire system back to zero.
Retrieving programs and information following a ransomware attack becomes a sprint against time as the targeted business tries its best to contain and remove the crypto-ransomware and to restore mission-critical operations. Since ransomware needs time to replicate, penetrations are often launched during weekends and nights, when penetrations tend to take more time to identify. This compounds the difficulty of rapidly assembling and orchestrating a qualified mitigation team.
Progent makes available an assortment of support services for protecting Eugene enterprises from crypto-ransomware attacks. These include team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based cyberthreat protection to identify and extinguish zero-day malware attacks. Progent also provides the services of veteran ransomware recovery consultants with the talent and commitment to re-deploy a breached network as urgently as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the codes to decipher any of your data. Kaspersky determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to setup from scratch the key parts of your IT environment. Without the availability of full information backups, this calls for a broad complement of IT skills, well-coordinated team management, and the willingness to work continuously until the task is completed.
For decades, Progent has offered certified expert Information Technology services for companies throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly ascertain necessary systems and organize the remaining parts of your network system following a ransomware penetration and configure them into an operational system.
Progent's ransomware team uses top notch project management tools to orchestrate the complex recovery process. Progent understands the importance of working quickly and in concert with a client's management and IT staff to prioritize tasks and to put the most important services back on-line as fast as possible.
Business Case Study: A Successful Ransomware Intrusion Recovery
A client hired Progent after their network system was penetrated by Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, suspected of using strategies exposed from America's National Security Agency. Ryuk goes after specific organizations with little room for operational disruption and is one of the most lucrative instances of ransomware malware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were damaged. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I can't tell you enough in regards to the support Progent provided us during the most stressful time of (our) businesses survival. We may have had to pay the hackers behind this attack except for the confidence the Progent group provided us. That you could get our e-mail system and essential servers back into operation sooner than seven days was earth shattering. Every single consultant I spoke to or e-mailed at Progent was urgently focused on getting our system up and was working breakneck pace on our behalf."
Progent worked with the client to quickly determine and assign priority to the critical applications that had to be recovered in order to restart business functions:
To start, Progent adhered to Anti-virus penetration response industry best practices by stopping lateral movement and removing active viruses. Progent then began the work of bringing back online Windows Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange messaging will not function without Windows AD, and the customer's MRP software leveraged Microsoft SQL Server, which needs Active Directory for security authorization to the databases.
- Microsoft Active Directory
- Microsoft Exchange
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then performed reinstallations and hard drive recovery on mission critical systems. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on team desktop computers in order to recover mail information. A not too old off-line backup of the customer's accounting/ERP systems made it possible to return these vital services back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk virus, the most important services were recovered quickly:
"For the most part, the production line operation was never shut down and we produced all customer shipments."
Throughout the following few weeks critical milestones in the recovery process were accomplished through close cooperation between Progent consultants and the client:
- Internal web sites were restored without losing any data.
- The MailStore Exchange Server with over four million historical messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were fully operational.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the desktops and laptops were back into operation.
"So much of what transpired in the initial days is mostly a blur for me, but my team will not soon forget the commitment each and every one of you put in to help get our company back. I have utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This time was the most impressive ever."
A likely enterprise-killing disaster was evaded with hard-working experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in post mortem the crypto-ransomware penetration detailed here would have been disabled with advanced security technology solutions and security best practices, staff education, and well designed security procedures for backup and applying software patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of experts has proven experience in ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we made it through the most critical parts. Everyone did an impressive job, and if anyone is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Eugene
For ransomware cleanup services in the Eugene area, phone Progent at 800-462-8800 or visit Contact Progent.