Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an assault. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause damage. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as more as yet unnamed malware, not only encrypt on-line files but also infect any configured system protection. Data synchronized to the cloud can also be encrypted. In a vulnerable system, this can make automatic restore operations useless and effectively sets the datacenter back to square one.

Getting back on-line services and information following a ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop lateral movement and eradicate the ransomware and to restore enterprise-critical operations. Since ransomware takes time to replicate, penetrations are often sprung during nights and weekends, when penetrations in many cases take more time to uncover. This compounds the difficulty of promptly assembling and orchestrating a knowledgeable response team.

Progent has a variety of support services for protecting enterprises from crypto-ransomware penetrations. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with machine learning technology to rapidly identify and extinguish day-zero cyber threats. Progent in addition can provide the assistance of expert ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to decipher any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to re-install the vital parts of your IT environment. Absent the availability of full system backups, this requires a wide range of skill sets, professional project management, and the capability to work 24x7 until the job is completed.

For twenty years, Progent has made available certified expert IT services for companies in Baltimore and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently understand necessary systems and re-organize the remaining parts of your network environment following a ransomware attack and configure them into an operational system.

Progent's security team deploys top notch project management applications to orchestrate the complicated recovery process. Progent knows the urgency of working swiftly and in concert with a customerís management and IT staff to assign priority to tasks and to put essential applications back on line as soon as possible.

Client Story: A Successful Ransomware Intrusion Restoration
A business contacted Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state sponsored cybercriminals, suspected of using technology leaked from Americaís NSA organization. Ryuk goes after specific businesses with limited ability to sustain operational disruption and is among the most lucrative instances of ransomware malware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has about 500 staff members. The Ryuk event had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end brought in Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most critical period of (our) companyís life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and production applications back on-line quicker than a week was incredible. Every single person I worked with or communicated with at Progent was hell bent on getting our company operational and was working day and night on our behalf."

Progent worked together with the client to rapidly understand and prioritize the critical elements that had to be recovered in order to continue business operations:

  • Active Directory
  • E-Mail
  • MRP System
To start, Progent adhered to AV/Malware Processes event response best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the process of restoring Microsoft AD, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís accounting and MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the database.

In less than 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery of the most important servers. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Offline Folder Files) on various workstations in order to recover mail data. A recent offline backup of the businesses accounting/MRP software made them able to return these vital programs back available to users. Although major work remained to recover totally from the Ryuk virus, core services were restored rapidly:


"For the most part, the production operation showed little impact and we did not miss any customer orders."

Over the next month important milestones in the restoration project were accomplished through tight collaboration between Progent team members and the client:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Server exceeding 4 million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the desktops and laptops were fully operational.

"A huge amount of what transpired those first few days is mostly a blur for me, but I will not soon forget the countless hours each and every one of the team put in to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A potential business-ending disaster was evaded through the efforts of top-tier experts, a wide spectrum of subject matter expertise, and close teamwork. Although in hindsight the crypto-ransomware virus incident described here could have been identified and stopped with modern cyber security technology and ISO/IEC 27001 best practices, user education, and well thought out security procedures for information protection and proper patching controls, the fact is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thanks very much for making it so I could get rested after we got over the first week. Everyone did an fabulous effort, and if any of your team is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Baltimore a variety of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate modern machine learning technology to detect zero-day strains of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based machine learning tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a single platform to address the entire threat progression including protection, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device control, and web filtering via leading-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your company's specific requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and allow transparent backup and rapid restoration of important files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned employees, or software glitches. Managed services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to provide centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of inspection for incoming email. For outgoing email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding devices that require critical updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management personnel and your Progent engineering consultant so any looming problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Baltimore 24x7 CryptoLocker Remediation Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.