Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that presents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Different iterations of crypto-ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still cause destruction. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more unnamed viruses, not only do encryption of on-line data files but also infiltrate most available system restores and backups. Data synchronized to cloud environments can also be encrypted. In a vulnerable system, this can make automated restore operations hopeless and effectively knocks the network back to zero.

Recovering applications and information following a crypto-ransomware event becomes a race against the clock as the targeted business fights to stop the spread and eradicate the crypto-ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware needs time to replicate, attacks are often launched on weekends and holidays, when successful attacks are likely to take longer to uncover. This compounds the difficulty of quickly assembling and orchestrating an experienced response team.

Progent makes available a variety of support services for protecting businesses from crypto-ransomware events. These include staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security gateways with machine learning technology from SentinelOne to discover and quarantine zero-day cyber attacks intelligently. Progent also offers the services of expert ransomware recovery professionals with the skills and commitment to re-deploy a breached network as rapidly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decrypt any of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the critical parts of your Information Technology environment. Without the availability of full information backups, this requires a wide complement of skill sets, well-coordinated team management, and the ability to work non-stop until the task is completed.

For two decades, Progent has offered certified expert Information Technology services for businesses in Birmingham and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently determine important systems and integrate the remaining pieces of your network system after a ransomware penetration and configure them into an operational network.

Progent's recovery team has best of breed project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and together with a customer�s management and IT staff to assign priority to tasks and to put essential systems back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Virus Response
A small business contacted Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state hackers, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk targets specific companies with little ability to sustain operational disruption and is among the most lucrative instances of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had shut down all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200K) and praying for good luck, but ultimately made the decision to use Progent.


"I can�t say enough about the expertise Progent provided us during the most stressful period of (our) businesses life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts provided us. That you were able to get our messaging and key servers back online sooner than five days was earth shattering. Each consultant I worked with or texted at Progent was absolutely committed on getting our company operational and was working all day and night on our behalf."

Progent worked together with the client to rapidly determine and prioritize the essential elements that needed to be restored in order to restart departmental operations:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To start, Progent adhered to Anti-virus incident response industry best practices by halting the spread and removing active viruses. Progent then started the task of recovering Microsoft Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the businesses� accounting and MRP system used SQL Server, which requires Active Directory services for access to the data.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then performed reinstallations and storage recovery on critical servers. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Offline Folder Files) on user desktop computers in order to recover mail information. A not too old off-line backup of the customer�s accounting/MRP systems made them able to return these required services back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk attack, core services were recovered quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer deliverables."

During the next couple of weeks critical milestones in the restoration process were completed through close collaboration between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Most of the user desktops and notebooks were back into operation.

"So much of what happened in the early hours is mostly a fog for me, but my management will not soon forget the countless hours each and every one of the team accomplished to help get our company back. I�ve utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered. This time was a stunning achievement."

Conclusion
A potential business disaster was averted with results-oriented professionals, a wide array of IT skills, and close collaboration. Although in post mortem the ransomware incident detailed here would have been identified and disabled with advanced cyber security systems and NIST Cybersecurity Framework best practices, team training, and well thought out security procedures for backup and proper patching controls, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for letting me get rested after we made it through the initial push. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Birmingham a portfolio of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services incorporate next-generation machine learning capability to uncover zero-day variants of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your company's unique needs and that helps you prove compliance with legal and industry information protection standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable transparent backup and rapid restoration of important files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user error, malicious insiders, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to deliver centralized control and world-class protection for your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of analysis for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, track, reconfigure and troubleshoot their networking appliances like switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration information of almost all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating complex management activities, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that need critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT staff and your Progent consultant so that all potential issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based analysis tools to defend endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. Progent ASM services protect local and cloud resources and offers a single platform to manage the entire threat progression including filtering, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Desk: Call Center Managed Services
    Progent's Support Desk managed services permit your IT staff to offload Support Desk services to Progent or divide responsibilities for support services transparently between your internal network support group and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless extension of your internal network support group. Client access to the Help Desk, provision of support services, escalation, trouble ticket creation and updates, efficiency metrics, and management of the service database are consistent whether incidents are taken care of by your internal network support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and affordable alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. Besides optimizing the security and functionality of your computer environment, Progent's software/firmware update management services free up time for your IT staff to concentrate on line-of-business projects and activities that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo supports single-tap identity confirmation on iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a protected online account and enter your password you are asked to verify your identity on a device that only you have and that uses a separate network channel. A wide range of out-of-band devices can be utilized for this second means of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. For details about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24/7 Birmingham Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.