Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as more unnamed malware, not only encrypt on-line information but also infect all accessible system restores and backups. Information synched to the cloud can also be encrypted. In a poorly architected data protection solution, it can render automatic recovery impossible and basically knocks the entire system back to zero.

Getting back on-line applications and data following a ransomware event becomes a race against time as the targeted business struggles to contain and cleanup the ransomware and to resume business-critical activity. Because ransomware requires time to move laterally, attacks are usually sprung during nights and weekends, when penetrations in many cases take longer to discover. This compounds the difficulty of promptly assembling and coordinating a capable response team.

Progent provides an assortment of support services for protecting organizations from crypto-ransomware events. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with AI capabilities to intelligently detect and suppress new cyber threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the talent and commitment to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the keys to decipher all your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the key parts of your Information Technology environment. Absent the availability of complete information backups, this calls for a wide complement of IT skills, professional team management, and the ability to work 24x7 until the job is completed.

For twenty years, Progent has provided expert IT services for companies in Bellevue and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of expertise provides Progent the capability to quickly identify necessary systems and consolidate the surviving pieces of your Information Technology environment after a ransomware penetration and assemble them into a functioning system.

Progent's security group has best of breed project management systems to coordinate the complex recovery process. Progent appreciates the importance of acting quickly and together with a client's management and Information Technology staff to assign priority to tasks and to put key applications back online as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Recovery
A business hired Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state criminal gangs, possibly using technology exposed from Americaís National Security Agency. Ryuk goes after specific businesses with little room for disruption and is among the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with about 500 workers. The Ryuk penetration had disabled all company operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were damaged. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I cannot say enough about the support Progent gave us during the most critical period of (our) businesses survival. We may have had to pay the Hackers if it wasnít for the confidence the Progent team provided us. The fact that you could get our e-mail and critical applications back online quicker than a week was amazing. Each staff member I spoke to or texted at Progent was laser focused on getting us restored and was working at all hours to bail us out."

Progent worked with the customer to quickly determine and assign priority to the key areas that had to be addressed in order to continue business operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes incident mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then began the process of recovering Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the customerís accounting and MRP software used SQL Server, which depends on Windows AD for security authorization to the data.

Within 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then initiated reinstallations and storage recovery on key systems. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was able to collect local OST files (Microsoft Outlook Off-Line Data Files) on user PCs and laptops in order to recover email information. A recent offline backup of the businesses financials/ERP software made it possible to return these required services back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer deliverables."

Over the next few weeks important milestones in the recovery process were completed in tight collaboration between Progent team members and the client:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were completely recovered.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the user desktops and notebooks were fully operational.

"So much of what occurred in the early hours is mostly a fog for me, but my management will not soon forget the countless hours all of you accomplished to help get our company back. Iíve trusted Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A likely business extinction disaster was evaded with hard-working experts, a wide spectrum of technical expertise, and tight teamwork. Although upon completion of forensics the crypto-ransomware penetration detailed here could have been identified and stopped with current security solutions and best practices, staff education, and well designed security procedures for information backup and applying software patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we got through the initial fire. Everyone did an fabulous job, and if anyone that helped is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Bellevue a portfolio of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation AI capability to detect zero-day variants of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, identification, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your company's unique needs and that allows you demonstrate compliance with government and industry information security standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent's consultants can also help you to install and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of critical data, apps and virtual machines that have become lost or damaged due to component failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, when needed, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to provide web-based management and comprehensive security for your email traffic. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map, track, enhance and debug their connectivity hardware like switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, locating devices that need important updates, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating efficiently by tracking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that any potential problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hosting solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Bellevue 24x7 Crypto Remediation Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.