Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that presents an existential threat for organizations poorly prepared for an assault. Versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause havoc. Modern variants of ransomware like Ryuk and Hermes, along with more unnamed malware, not only encrypt on-line critical data but also infect any configured system restores and backups. Information synched to the cloud can also be encrypted. In a poorly designed environment, this can make automated restoration useless and effectively sets the network back to square one.

Getting back online applications and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop the spread and eradicate the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, assaults are often sprung at night, when successful penetrations may take more time to uncover. This compounds the difficulty of rapidly marshalling and coordinating a capable mitigation team.

Progent makes available an assortment of help services for protecting businesses from ransomware events. Among these are team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with machine learning capabilities to intelligently identify and quarantine day-zero cyber attacks. Progent also offers the services of seasoned ransomware recovery professionals with the track record and commitment to restore a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decipher any or all of your files. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the key components of your Information Technology environment. Absent the availability of essential system backups, this calls for a broad range of skill sets, well-coordinated project management, and the capability to work 24x7 until the job is complete.

For decades, Progent has provided expert IT services for businesses in Anchorage and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise gives Progent the ability to rapidly identify necessary systems and integrate the remaining parts of your Information Technology environment following a ransomware event and assemble them into a functioning system.

Progent's recovery team of experts has powerful project management tools to orchestrate the complex restoration process. Progent knows the importance of working quickly and together with a customerís management and Information Technology resources to prioritize tasks and to put critical applications back online as soon as humanly possible.

Case Study: A Successful Ransomware Intrusion Recovery
A small business engaged Progent after their network system was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored hackers, suspected of adopting techniques exposed from Americaís NSA organization. Ryuk goes after specific companies with little room for disruption and is one of the most profitable instances of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has around 500 staff members. The Ryuk attack had shut down all business operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were destroyed. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.


"I canít speak enough in regards to the care Progent provided us throughout the most fearful time of (our) companyís existence. We may have had to pay the Hackers if not for the confidence the Progent team gave us. That you were able to get our messaging and important servers back online faster than seven days was incredible. Each person I got help from or communicated with at Progent was urgently focused on getting us back on-line and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to rapidly assess and prioritize the critical systems that needed to be recovered in order to resume departmental functions:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent followed ransomware penetration mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then started the task of bringing back online Microsoft AD, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the businessesí financials and MRP system leveraged SQL Server, which depends on Active Directory for authentication to the data.

In less than 2 days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of the most important systems. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Folder Files) on staff workstations and laptops in order to recover mail data. A recent off-line backup of the customerís accounting/ERP systems made them able to restore these required services back online. Although major work still had to be done to recover completely from the Ryuk damage, core services were restored quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer orders."

Over the next couple of weeks critical milestones in the restoration process were completed through close collaboration between Progent engineers and the client:

  • In-house web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the desktops and laptops were functioning as before the incident.

"So much of what was accomplished those first few days is mostly a fog for me, but I will not soon forget the care each of you put in to give us our company back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A possible business-ending disaster was averted with top-tier experts, a wide range of knowledge, and tight teamwork. Although in hindsight the ransomware virus attack detailed here should have been identified and blocked with current security technology and security best practices, staff education, and well thought out security procedures for data protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we got through the most critical parts. Everyone did an incredible effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Anchorage a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate modern AI capability to detect new variants of crypto-ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to address the complete malware attack progression including blocking, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent's consultants can also help your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of vital data, apps and VMs that have become lost or damaged as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can deliver world-class support to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to deliver web-based management and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for incoming email. For outbound email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, track, reconfigure and troubleshoot their networking hardware such as routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating complex management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that require important updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management personnel and your Progent consultant so any potential problems can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to a different hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can save as much as 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Anchorage Ransomware Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.