Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a modern cyber pandemic that poses an existential danger for businesses unprepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with frequent unnamed malware, not only do encryption of online data but also infiltrate many configured system backups. Data synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, it can render automatic recovery hopeless and basically knocks the entire system back to zero.
Getting back applications and information after a ransomware attack becomes a sprint against the clock as the targeted organization struggles to contain the damage and clear the ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware requires time to spread, attacks are often launched on weekends, when successful penetrations typically take more time to identify. This compounds the difficulty of promptly marshalling and organizing an experienced mitigation team.
Progent makes available an assortment of support services for securing Jacksonville enterprises from crypto-ransomware events. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat protection to identify and quarantine day-zero modern malware assaults. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to re-deploy a breached system as quickly as possible.
Progent's Ransomware Recovery Help
Following a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will return the keys to decipher any of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The alternative is to piece back together the essential parts of your IT environment. Absent the availability of essential data backups, this calls for a wide range of skills, top notch project management, and the ability to work non-stop until the job is completed.
For two decades, Progent has provided professional Information Technology services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience gives Progent the capability to knowledgably understand necessary systems and re-organize the remaining pieces of your IT system after a crypto-ransomware event and assemble them into an operational network.
Progent's recovery group uses best of breed project management tools to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting quickly and in concert with a client's management and IT staff to prioritize tasks and to get essential services back on-line as soon as possible.
Business Case Study: A Successful Ransomware Penetration Restoration
A business escalated to Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state criminal gangs, possibly using techniques exposed from the U.S. NSA organization. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most lucrative incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's information backups had been online at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot speak enough about the care Progent gave us during the most fearful period of (our) company's life. We most likely would have paid the Hackers except for the confidence the Progent group provided us. The fact that you could get our e-mail and key applications back into operation sooner than 1 week was amazing. Each person I talked with or communicated with at Progent was hell bent on getting us back on-line and was working breakneck pace on our behalf."
Progent worked together with the customer to rapidly determine and prioritize the mission critical systems that had to be restored to make it possible to continue company operations:
To start, Progent followed Anti-virus penetration mitigation best practices by stopping the spread and cleaning up infected systems. Progent then began the work of restoring Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the businesses' MRP applications leveraged SQL Server, which requires Active Directory services for authentication to the information.
- Windows Active Directory
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery on essential applications. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate local OST files (Outlook Off-Line Folder Files) on user desktop computers to recover email data. A recent off-line backup of the customer's manufacturing systems made them able to restore these vital applications back available to users. Although major work still had to be done to recover fully from the Ryuk damage, core systems were restored rapidly:
"For the most part, the production operation survived unscathed and we produced all customer sales."
During the following few weeks key milestones in the recovery project were made in tight collaboration between Progent team members and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Exchange Server containing more than four million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully functional.
- A new Palo Alto 850 security appliance was installed.
- Most of the user desktops and notebooks were being used by staff.
"Much of what occurred in the early hours is mostly a blur for me, but I will not soon forget the urgency each and every one of your team put in to give us our company back. I've been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
A probable business catastrophe was evaded due to dedicated professionals, a wide range of technical expertise, and close collaboration. Although in hindsight the ransomware virus penetration detailed here could have been identified and prevented with current security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed incident response procedures for data backup and applying software patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thanks very much for making it so I could get rested after we got over the first week. Everyone did an fabulous job, and if anyone is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Jacksonville
For ransomware cleanup consulting in the Jacksonville metro area, call Progent at 800-462-8800 or go to Contact Progent.