Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses unprepared for an assault. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still cause damage. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with more unnamed malware, not only encrypt on-line critical data but also infiltrate many available system restores and backups. Files synched to off-site disaster recovery sites can also be corrupted. In a vulnerable environment, this can make automated restoration useless and basically knocks the datacenter back to zero.
Restoring applications and information after a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop the spread and cleanup the crypto-ransomware and to resume mission-critical operations. Since crypto-ransomware requires time to spread, penetrations are often sprung during weekends and nights, when penetrations are likely to take longer to recognize. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.
Progent offers a range of help services for securing Fargo enterprises from ransomware attacks. These include team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with AI capabilities to intelligently detect and disable day-zero cyber threats. Progent in addition can provide the services of seasoned ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the codes to unencrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The other path is to re-install the mission-critical parts of your IT environment. Without the availability of complete information backups, this requires a broad complement of skills, professional project management, and the ability to work non-stop until the task is done.
For two decades, Progent has made available certified expert IT services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly determine important systems and organize the surviving components of your Information Technology environment after a ransomware penetration and assemble them into an operational network.
Progent's recovery team has state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and in unison with a customerís management and IT staff to assign priority to tasks and to get key services back on-line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A client hired Progent after their company was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state hackers, possibly adopting algorithms leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little tolerance for operational disruption and is one of the most profitable instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
"I canít thank you enough about the help Progent provided us throughout the most critical period of (our) companyís life. We would have paid the cyber criminals if it wasnít for the confidence the Progent experts provided us. That you were able to get our messaging and important servers back on-line sooner than one week was incredible. Each person I interacted with or e-mailed at Progent was laser focused on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the essential areas that needed to be restored in order to restart company operations:
To start, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by stopping the spread and disinfecting systems. Progent then began the work of restoring Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not function without Active Directory, and the client's MRP applications used Microsoft SQL Server, which depends on Windows AD for authentication to the data.
- Active Directory (AD)
- Exchange Server
- MRP System
In less than 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery on needed systems. All Exchange schema and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Off-Line Data Files) on team workstations to recover email data. A recent off-line backup of the client's accounting/MRP software made them able to recover these vital programs back servicing users. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, the most important services were restored quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer orders."
Throughout the following few weeks key milestones in the restoration project were achieved in close cooperation between Progent engineers and the client:
- Internal web sites were brought back up without losing any data.
- The MailStore Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory modules were fully operational.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the desktops and laptops were fully operational.
"A huge amount of what transpired in the initial days is mostly a haze for me, but I will not forget the urgency each and every one of your team accomplished to give us our business back. I have been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was a life saver."
A probable business-ending disaster was avoided due to dedicated professionals, a wide range of IT skills, and tight teamwork. Although in post mortem the ransomware virus attack detailed here could have been blocked with advanced cyber security technology and NIST Cybersecurity Framework best practices, staff training, and well designed security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for allowing me to get some sleep after we got past the first week. All of you did an amazing job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Fargo
For ransomware system restoration expertise in the Fargo area, phone Progent at 800-462-8800 or visit Contact Progent.