Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses poorly prepared for an assault. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as additional as yet unnamed viruses, not only do encryption of online critical data but also infiltrate all configured system backups. Data synchronized to cloud environments can also be encrypted. In a poorly architected system, it can make automatic recovery impossible and effectively knocks the network back to zero.
Restoring services and data after a ransomware outage becomes a sprint against the clock as the victim struggles to stop the spread and cleanup the ransomware and to restore enterprise-critical activity. Because ransomware takes time to replicate, assaults are frequently launched during weekends and nights, when successful penetrations tend to take longer to detect. This compounds the difficulty of quickly marshalling and coordinating a qualified mitigation team.
Progent makes available an assortment of solutions for securing Minneapolis organizations from ransomware attacks. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with machine learning capabilities to intelligently identify and extinguish new cyber threats. Progent also can provide the assistance of seasoned ransomware recovery professionals with the track record and perseverance to rebuild a breached network as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the keys to decipher any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to piece back together the vital components of your Information Technology environment. Absent access to full data backups, this requires a broad range of skills, well-coordinated team management, and the willingness to work 24x7 until the job is complete.
For two decades, Progent has made available professional Information Technology services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the ability to quickly identify critical systems and re-organize the surviving parts of your Information Technology system following a crypto-ransomware event and rebuild them into an operational system.
Progent's security team of experts uses state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent knows the importance of acting swiftly and together with a customerís management and Information Technology resources to prioritize tasks and to get critical applications back on-line as soon as possible.
Customer Story: A Successful Crypto-Ransomware Virus Recovery
A client engaged Progent after their network was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state criminal gangs, suspected of adopting techniques leaked from Americaís NSA organization. Ryuk seeks specific businesses with little room for disruption and is among the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago with about 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing processes. Most of the client's data backups had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
"I canít say enough about the help Progent provided us throughout the most fearful period of (our) companyís existence. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and production applications back faster than five days was incredible. Every single expert I worked with or texted at Progent was amazingly focused on getting my company operational and was working 24/7 to bail us out."
Progent worked with the client to rapidly understand and prioritize the mission critical areas that had to be restored to make it possible to continue business operations:
To start, Progent followed AV/Malware Processes incident mitigation best practices by halting the spread and cleaning systems of viruses. Progent then initiated the task of restoring Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businessesí financials and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory for authentication to the databases.
- Active Directory
- Microsoft Exchange Email
Within 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of essential systems. All Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops in order to recover mail data. A recent off-line backup of the businesses accounting/ERP software made it possible to restore these essential programs back available to users. Although major work was left to recover totally from the Ryuk attack, the most important services were restored rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer orders."
Throughout the following few weeks key milestones in the restoration process were accomplished through tight collaboration between Progent team members and the customer:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and available for users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory Control capabilities were 100% operational.
- A new Palo Alto 850 firewall was installed.
- 90% of the user desktops were functioning as before the incident.
"Much of what happened in the early hours is nearly entirely a blur for me, but I will not soon forget the care each of the team accomplished to help get our business back. I have been working with Progent for the past ten years, maybe more, and every time Progent has shined and delivered as promised. This event was a testament to your capabilities."
A potential business-ending catastrophe was evaded due to dedicated experts, a broad array of knowledge, and close collaboration. Although in hindsight the ransomware attack detailed here could have been blocked with advanced security technology solutions and ISO/IEC 27001 best practices, user training, and properly executed security procedures for information backup and applying software patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get rested after we made it over the initial push. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist