Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that poses an enterprise-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with additional unnamed malware, not only do encryption of online information but also infect most configured system backups. Files synchronized to the cloud can also be corrupted. In a poorly architected environment, this can make any recovery hopeless and effectively knocks the datacenter back to zero.

Restoring programs and information after a ransomware event becomes a sprint against the clock as the targeted business fights to stop the spread and remove the ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to replicate, assaults are often sprung during nights and weekends, when attacks are likely to take longer to detect. This multiplies the difficulty of promptly assembling and coordinating an experienced response team.

Progent provides a range of help services for protecting businesses from crypto-ransomware penetrations. These include staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with machine learning capabilities to intelligently discover and quarantine new cyber attacks. Progent also provides the assistance of veteran ransomware recovery engineers with the track record and commitment to rebuild a breached system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the keys to unencrypt any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the key parts of your IT environment. Absent the availability of full information backups, this requires a broad complement of skill sets, professional project management, and the capability to work continuously until the task is completed.

For decades, Progent has made available expert Information Technology services for businesses in Akron and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience gives Progent the ability to knowledgably understand critical systems and integrate the remaining pieces of your computer network system after a ransomware attack and configure them into a functioning system.

Progent's security team of experts utilizes best of breed project management tools to orchestrate the complex recovery process. Progent knows the urgency of acting swiftly and together with a client's management and IT staff to prioritize tasks and to get essential systems back online as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Attack Recovery
A business contacted Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, possibly adopting technology exposed from Americaís National Security Agency. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most profitable instances of crypto-ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area with around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing capabilities. The majority of the client's backups had been online at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I canít speak enough in regards to the expertise Progent gave us during the most critical period of (our) companyís life. We would have paid the hackers behind this attack except for the confidence the Progent experts afforded us. That you could get our e-mail and production applications back online in less than 1 week was incredible. Each expert I got help from or communicated with at Progent was urgently focused on getting my company operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly get our arms around and assign priority to the essential systems that needed to be restored in order to restart company functions:

  • Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent followed ransomware event mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the process of rebuilding Microsoft AD, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the client's accounting and MRP system used Microsoft SQL, which needs Active Directory services for access to the databases.

Within two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform rebuilding and storage recovery of mission critical systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on staff workstations and laptops in order to recover mail information. A recent off-line backup of the customerís financials/ERP software made it possible to return these required applications back online. Although major work needed to be completed to recover fully from the Ryuk damage, essential services were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer shipments."

Over the following few weeks critical milestones in the restoration process were completed in tight cooperation between Progent consultants and the customer:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Server exceeding four million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory functions were 100% functional.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Most of the desktop computers were functioning as before the incident.

"A lot of what went on those first few days is mostly a blur for me, but my management will not soon forget the commitment all of you accomplished to help get our company back. I have utilized Progent for the past ten years, possibly more, and each time Progent has shined and delivered. This time was a life saver."

Conclusion
A potential business catastrophe was evaded due to top-tier professionals, a broad range of knowledge, and close teamwork. Although upon completion of forensics the ransomware attack detailed here could have been stopped with modern security systems and security best practices, team education, and well designed security procedures for information backup and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), thank you for making it so I could get some sleep after we got over the initial push. All of you did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Akron a variety of remote monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to detect new variants of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete threat lifecycle including blocking, detection, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering through cutting-edge tools packaged within a single agent managed from a unified console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent can also assist you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of critical data, applications and VMs that have become unavailable or corrupted as a result of component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide advanced support to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid structure of Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, track, reconfigure and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are kept updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding appliances that require critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management staff and your assigned Progent consultant so that any potential problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Akron Crypto Recovery Consultants, contact Progent at 800-993-9400 or go to Contact Progent.