Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that poses an existential danger for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and continue to inflict havoc. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with frequent as yet unnamed newcomers, not only do encryption of online files but also infiltrate many configured system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, it can make automated restore operations hopeless and basically knocks the network back to square one.

Getting back on-line applications and information after a crypto-ransomware outage becomes a race against the clock as the victim tries its best to stop lateral movement and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware takes time to replicate, attacks are often sprung during weekends and nights, when attacks may take more time to recognize. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable response team.

Progent makes available a range of services for securing organizations from ransomware penetrations. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security solutions with AI capabilities to rapidly detect and disable new cyber attacks. Progent also offers the services of expert ransomware recovery consultants with the track record and perseverance to rebuild a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Services
After a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that distant criminals will provide the needed codes to unencrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the vital parts of your IT environment. Without access to full data backups, this calls for a wide complement of IT skills, well-coordinated project management, and the capability to work non-stop until the task is completed.

For two decades, Progent has offered professional IT services for businesses in Addison and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly understand important systems and organize the remaining pieces of your Information Technology system after a crypto-ransomware event and assemble them into an operational network.

Progent's security team uses best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of working swiftly and in concert with a customerís management and IT team members to assign priority to tasks and to put key applications back online as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business engaged Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean government sponsored criminal gangs, possibly using technology exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is among the most profitable iterations of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area with about 500 workers. The Ryuk event had frozen all essential operations and manufacturing processes. The majority of the client's data protection had been online at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200,000) and praying for the best, but in the end engaged Progent.


"I canít speak enough in regards to the care Progent provided us throughout the most fearful period of (our) companyís survival. We may have had to pay the cybercriminals if not for the confidence the Progent experts provided us. That you were able to get our messaging and important applications back online quicker than five days was beyond my wildest dreams. Each expert I interacted with or messaged at Progent was absolutely committed on getting our system up and was working non-stop to bail us out."

Progent worked with the customer to rapidly determine and prioritize the key systems that needed to be restored in order to restart departmental functions:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the work of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the customerís accounting and MRP applications used Microsoft SQL, which requires Windows AD for security authorization to the databases.

In less than two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated setup and hard drive recovery of critical servers. All Exchange data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Off-Line Data Files) on various workstations in order to recover email messages. A not too old offline backup of the client's financials/ERP systems made it possible to return these required services back servicing users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, critical services were restored quickly:


"For the most part, the production line operation did not miss a beat and we delivered all customer shipments."

Throughout the next couple of weeks critical milestones in the recovery project were accomplished in close collaboration between Progent team members and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the desktop computers were back into operation.

"Much of what transpired in the early hours is nearly entirely a blur for me, but I will not soon forget the commitment all of your team put in to give us our company back. I have utilized Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A probable business-killing catastrophe was averted through the efforts of results-oriented professionals, a broad spectrum of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware incident detailed here would have been blocked with up-to-date security systems and recognized best practices, user education, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get rested after we made it over the most critical parts. Everyone did an impressive effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Addison a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to detect zero-day variants of crypto-ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to manage the entire threat lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate action. Progent can also help your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and enables fast recovery of critical files, apps and virtual machines that have become unavailable or damaged due to component failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, when necessary, can help you to recover your business-critical information. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to deliver centralized management and world-class security for your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and blocks most threats from reaching your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their connectivity hardware such as switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that require critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management personnel and your Progent consultant so that all looming issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved easily to a different hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can save as much as 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24x7x365 Addison Ransomware Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.