Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Different versions of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict havoc. The latest strains of ransomware like Ryuk and Hermes, along with daily as yet unnamed viruses, not only encrypt online critical data but also infiltrate many configured system restores and backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can make automatic recovery useless and basically knocks the datacenter back to square one.

Retrieving applications and data following a ransomware outage becomes a race against the clock as the targeted organization fights to stop lateral movement and remove the ransomware and to resume business-critical operations. Because ransomware needs time to replicate, attacks are often sprung on weekends, when penetrations are likely to take more time to recognize. This multiplies the difficulty of promptly mobilizing and organizing a knowledgeable mitigation team.

Progent makes available a variety of help services for securing businesses from ransomware attacks. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with machine learning capabilities to intelligently identify and quarantine zero-day cyber attacks. Progent in addition can provide the services of expert crypto-ransomware recovery engineers with the skills and perseverance to reconstruct a compromised system as soon as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the needed codes to decipher all your information. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the key parts of your Information Technology environment. Without access to full data backups, this calls for a wide range of skills, well-coordinated team management, and the willingness to work non-stop until the recovery project is over.

For decades, Progent has provided expert Information Technology services for businesses in Addison and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise provides Progent the skills to quickly ascertain critical systems and integrate the remaining pieces of your computer network system after a ransomware event and assemble them into a functioning network.

Progent's recovery group utilizes state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to get critical systems back on-line as soon as possible.

Case Study: A Successful Ransomware Attack Recovery
A customer hired Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean government sponsored criminal gangs, possibly using approaches leaked from Americaís NSA organization. Ryuk seeks specific businesses with limited ability to sustain operational disruption and is among the most lucrative iterations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area and has around 500 workers. The Ryuk attack had disabled all essential operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end called Progent.


"I canít thank you enough in regards to the care Progent provided us throughout the most stressful period of (our) businesses life. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent experts provided us. That you could get our e-mail system and essential servers back online faster than 1 week was something I thought impossible. Each expert I interacted with or e-mailed at Progent was urgently focused on getting us restored and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the mission critical systems that needed to be restored to make it possible to continue departmental functions:

  • Microsoft Active Directory
  • E-Mail
  • MRP System
To begin, Progent followed AV/Malware Processes event response best practices by stopping the spread and cleaning up infected systems. Progent then started the process of bringing back online Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the businessesí financials and MRP applications used Microsoft SQL, which depends on Active Directory for security authorization to the data.

Within two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of key servers. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Offline Data Files) on staff workstations and laptops to recover mail information. A recent off-line backup of the businesses manufacturing software made it possible to recover these vital applications back available to users. Although a large amount of work was left to recover totally from the Ryuk event, core systems were recovered quickly:


"For the most part, the production operation showed little impact and we produced all customer deliverables."

Over the following couple of weeks critical milestones in the recovery project were achieved through tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were fully recovered.
  • A new Palo Alto 850 firewall was installed and configured.
  • Most of the desktops and laptops were fully operational.

"A huge amount of what went on during the initial response is mostly a blur for me, but we will not forget the care each of the team accomplished to give us our company back. Iíve entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A possible business catastrophe was avoided with top-tier professionals, a wide array of knowledge, and close collaboration. Although in hindsight the ransomware virus penetration described here would have been identified and disabled with advanced security systems and ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we got past the most critical parts. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Addison a variety of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services incorporate next-generation AI capability to detect new variants of crypto-ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to automate the entire malware attack lifecycle including filtering, detection, mitigation, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates your backup processes and enables rapid recovery of vital files, applications and VMs that have become unavailable or damaged due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver web-based management and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, optimize and debug their networking hardware like routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when issues are detected. By automating tedious management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that require critical updates, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management staff and your Progent consultant so all looming issues can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For Addison 24x7x365 Crypto-Ransomware Cleanup Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.