Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential threat for businesses of all sizes vulnerable to an attack. Versions of crypto-ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus daily as yet unnamed malware, not only encrypt online information but also infect most configured system restores and backups. Files synched to the cloud can also be rendered useless. In a poorly architected data protection solution, this can make automated restoration impossible and effectively sets the entire system back to square one.
Retrieving services and data after a ransomware attack becomes a sprint against the clock as the victim fights to contain the damage and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware takes time to spread, penetrations are frequently sprung during weekends and nights, when successful penetrations in many cases take more time to detect. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced response team.
Progent makes available a range of help services for protecting Lakeland enterprises from crypto-ransomware attacks. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with AI capabilities to rapidly identify and disable new cyber threats. Progent in addition provides the assistance of veteran crypto-ransomware recovery consultants with the talent and commitment to restore a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the keys to decipher all your files. Kaspersky determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The fallback is to piece back together the critical elements of your IT environment. Without access to full data backups, this calls for a wide range of skills, professional project management, and the willingness to work 24x7 until the recovery project is complete.
For two decades, Progent has made available certified expert IT services for businesses across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise affords Progent the skills to quickly identify critical systems and organize the surviving components of your network system after a crypto-ransomware attack and rebuild them into an operational system.
Progent's security team of experts deploys best of breed project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting quickly and in unison with a client's management and Information Technology resources to prioritize tasks and to get essential systems back online as fast as possible.
Client Story: A Successful Ransomware Penetration Recovery
A small business escalated to Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state cybercriminals, possibly using strategies exposed from the United States National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is one of the most profitable versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has around 500 workers. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end called Progent.
"I canít tell you enough in regards to the help Progent gave us during the most fearful time of (our) companyís existence. We would have paid the cybercriminals if it wasnít for the confidence the Progent team provided us. That you could get our messaging and production servers back into operation in less than a week was something I thought impossible. Every single staff member I interacted with or communicated with at Progent was urgently focused on getting our company operational and was working non-stop to bail us out."
Progent worked with the customer to rapidly identify and prioritize the critical elements that had to be addressed to make it possible to restart company functions:
To get going, Progent adhered to Anti-virus penetration response best practices by isolating and removing active viruses. Progent then started the process of restoring Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customerís MRP system leveraged Microsoft SQL, which depends on Active Directory for access to the information.
- Windows Active Directory
- Electronic Mail
Within 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then completed setup and hard drive recovery on key applications. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Offline Folder Files) on user PCs to recover email data. A recent offline backup of the businesses accounting/ERP software made it possible to recover these vital programs back online. Although a lot of work was left to recover completely from the Ryuk event, core systems were restored quickly:
"For the most part, the production manufacturing operation was never shut down and we delivered all customer shipments."
Over the next couple of weeks important milestones in the restoration project were made through close collaboration between Progent engineers and the customer:
- Self-hosted web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully restored.
- A new Palo Alto 850 firewall was set up and programmed.
- Most of the user PCs were functioning as before the incident.
"A lot of what went on during the initial response is nearly entirely a blur for me, but our team will not soon forget the care all of your team accomplished to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was no exception but maybe more Herculean."
A likely enterprise-killing catastrophe was averted due to results-oriented experts, a broad array of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware incident detailed here could have been disabled with advanced security systems and ISO/IEC 27001 best practices, team training, and properly executed security procedures for information backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we got through the first week. All of you did an impressive effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist