Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses unprepared for an assault. Different versions of ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to inflict damage. The latest versions of ransomware such as Ryuk and Hermes, as well as more unnamed newcomers, not only do encryption of on-line files but also infect all available system backups. Data synched to the cloud can also be corrupted. In a poorly designed system, this can make automated restore operations useless and basically sets the entire system back to square one.

Recovering programs and information following a crypto-ransomware event becomes a race against the clock as the targeted organization tries its best to contain and remove the crypto-ransomware and to resume business-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are often launched on weekends, when penetrations are likely to take more time to uncover. This compounds the difficulty of quickly assembling and coordinating a capable response team.

Progent provides an assortment of solutions for securing businesses from crypto-ransomware events. These include staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with artificial intelligence capabilities to automatically discover and suppress zero-day cyber threats. Progent also provides the services of experienced ransomware recovery engineers with the talent and perseverance to re-deploy a breached network as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed codes to unencrypt all your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to piece back together the vital elements of your IT environment. Without the availability of complete information backups, this calls for a broad range of skills, professional project management, and the ability to work 24x7 until the job is complete.

For two decades, Progent has made available expert IT services for companies in Addison and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience gives Progent the ability to efficiently determine critical systems and re-organize the surviving parts of your Information Technology environment after a ransomware event and assemble them into an operational network.

Progent's recovery team uses top notch project management systems to orchestrate the complex recovery process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to put essential services back on line as soon as humanly possible.

Case Study: A Successful Ransomware Penetration Response
A business engaged Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, possibly adopting techniques leaked from the United States NSA organization. Ryuk goes after specific businesses with little ability to sustain disruption and is among the most profitable incarnations of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing processes. The majority of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I canít say enough about the expertise Progent provided us during the most stressful time of (our) companyís existence. We had little choice but to pay the criminal gangs except for the confidence the Progent experts afforded us. That you could get our e-mail system and key servers back into operation in less than one week was amazing. Every single expert I worked with or messaged at Progent was totally committed on getting us restored and was working all day and night to bail us out."

Progent worked with the customer to rapidly determine and assign priority to the essential elements that had to be restored in order to restart departmental functions:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To get going, Progent followed Anti-virus event response best practices by isolating and removing active viruses. Progent then started the work of restoring Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the client's MRP applications used Microsoft SQL, which depends on Active Directory for authentication to the information.

Within two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery of key servers. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Offline Folder Files) on staff PCs and laptops to recover email messages. A not too old offline backup of the client's manufacturing software made it possible to return these vital services back servicing users. Although major work needed to be completed to recover completely from the Ryuk damage, the most important systems were returned to operations rapidly:


"For the most part, the production line operation was never shut down and we delivered all customer shipments."

Over the following couple of weeks important milestones in the restoration project were made through close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the desktops and laptops were fully operational.

"So much of what occurred in the initial days is mostly a haze for me, but we will not soon forget the dedication each of the team put in to give us our business back. I have been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable business catastrophe was evaded by top-tier professionals, a broad range of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware attack detailed here could have been disabled with current security technology solutions and security best practices, staff education, and well designed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it over the first week. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Addison a variety of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services include modern machine learning technology to detect zero-day strains of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including blocking, identification, mitigation, remediation, and forensics. Key features include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates your backup processes and allows rapid restoration of vital files, apps and virtual machines that have become unavailable or corrupted as a result of hardware failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can help you to recover your critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to deliver web-based management and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, track, optimize and debug their networking hardware like switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating devices that require critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so any looming issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7x365 Addison Ransomware Removal Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.