Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that poses an existential danger for businesses poorly prepared for an attack. Different iterations of crypto-ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to inflict damage. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as more unnamed viruses, not only encrypt on-line information but also infect any available system restores and backups. Information synchronized to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can make automatic restoration impossible and effectively knocks the network back to zero.

Getting back online applications and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted organization fights to contain the damage and clear the crypto-ransomware and to resume business-critical operations. Since ransomware requires time to move laterally, assaults are usually launched during weekends and nights, when penetrations tend to take more time to discover. This compounds the difficulty of rapidly marshalling and coordinating a knowledgeable mitigation team.

Progent offers a range of services for securing businesses from ransomware penetrations. These include team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with machine learning technology to intelligently detect and suppress new cyber threats. Progent in addition offers the assistance of expert ransomware recovery professionals with the track record and commitment to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
After a ransomware event, even paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the needed keys to decrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full information backups, this calls for a wide range of skills, professional team management, and the ability to work non-stop until the recovery project is finished.

For two decades, Progent has made available professional IT services for businesses in Bellevue and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise gives Progent the ability to efficiently understand critical systems and consolidate the remaining pieces of your Information Technology environment after a ransomware event and configure them into a functioning network.

Progent's security group deploys best of breed project management applications to orchestrate the complex recovery process. Progent understands the urgency of acting quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get key applications back on-line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Attack Response
A client contacted Progent after their company was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, possibly using technology leaked from Americaís National Security Agency. Ryuk attacks specific organizations with little room for disruption and is among the most profitable incarnations of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with about 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the start of the attack and were damaged. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I canít thank you enough about the expertise Progent provided us during the most fearful period of (our) companyís existence. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our e-mail and key applications back faster than five days was incredible. Every single staff member I worked with or e-mailed at Progent was totally committed on getting us back on-line and was working breakneck pace on our behalf."

Progent worked with the client to rapidly understand and assign priority to the most important areas that needed to be recovered to make it possible to restart departmental functions:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To start, Progent adhered to ransomware event response industry best practices by halting the spread and removing active viruses. Progent then began the steps of recovering Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the customerís MRP applications leveraged SQL Server, which requires Windows AD for security authorization to the information.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then charged ahead with reinstallations and storage recovery of mission critical servers. All Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Offline Data Files) on user PCs and laptops to recover email messages. A not too old off-line backup of the client's financials/MRP systems made them able to restore these required programs back online. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, the most important services were restored quickly:


"For the most part, the production manufacturing operation was never shut down and we delivered all customer deliverables."

Over the following month important milestones in the recovery project were completed through tight collaboration between Progent team members and the client:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • 90% of the user desktops and notebooks were fully operational.

"A huge amount of what happened during the initial response is mostly a haze for me, but my management will not forget the countless hours each of the team put in to help get our company back. Iíve entrusted Progent for the past ten years, maybe more, and each time Progent has shined and delivered. This time was a life saver."

Conclusion
A likely business-killing catastrophe was avoided by dedicated professionals, a wide array of IT skills, and close collaboration. Although in post mortem the ransomware incident detailed here would have been identified and prevented with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate security procedures for backup and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get rested after we got through the initial push. All of you did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Bellevue a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover new strains of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to manage the entire threat progression including filtering, detection, mitigation, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with legal and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. For a low monthly cost, ProSight DPS automates your backup activities and allows fast recovery of critical files, applications and virtual machines that have become lost or corrupted as a result of component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can help you to restore your business-critical data. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide centralized control and comprehensive security for your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, track, enhance and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex network management processes, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, locating appliances that require important updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by checking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your Progent engineering consultant so that all looming issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour Bellevue Crypto Recovery Help, call Progent at 800-462-8800 or go to Contact Progent.