Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that represents an enterprise-level threat for organizations unprepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for many years and still cause harm. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus additional unnamed malware, not only do encryption of on-line data but also infiltrate all available system protection mechanisms. Data replicated to the cloud can also be corrupted. In a vulnerable system, this can make automatic restore operations impossible and basically knocks the network back to zero.

Retrieving applications and data after a ransomware event becomes a sprint against the clock as the targeted business fights to contain and clear the virus and to resume business-critical activity. Due to the fact that crypto-ransomware takes time to replicate, assaults are often sprung during weekends and nights, when successful attacks typically take more time to detect. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced response team.

Progent makes available an assortment of solutions for securing enterprises from ransomware attacks. Among these are user education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with AI technology to automatically discover and suppress day-zero threats. Progent in addition offers the assistance of veteran ransomware recovery engineers with the track record and perseverance to reconstruct a breached system as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, sending the ransom in cryptocurrency does not guarantee that cyber hackers will return the needed keys to decrypt any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the key parts of your IT environment. Absent access to full system backups, this calls for a wide complement of IT skills, top notch team management, and the capability to work non-stop until the recovery project is finished.

For two decades, Progent has made available certified expert Information Technology services for businesses in Brighton and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise affords Progent the capability to quickly determine necessary systems and re-organize the remaining components of your Information Technology environment after a ransomware attack and configure them into a functioning system.

Progent's security team uses best of breed project management applications to orchestrate the complex restoration process. Progent understands the importance of acting quickly and together with a client's management and Information Technology staff to assign priority to tasks and to get key systems back online as soon as possible.

Customer Story: A Successful Ransomware Intrusion Restoration
A small business escalated to Progent after their company was taken over by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored hackers, suspected of adopting techniques exposed from Americaís National Security Agency. Ryuk seeks specific businesses with little or no room for disruption and is among the most lucrative versions of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago with about 500 workers. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but in the end engaged Progent.


"I canít say enough about the support Progent gave us during the most fearful period of (our) companyís existence. We would have paid the criminal gangs if not for the confidence the Progent experts gave us. The fact that you could get our e-mail and key servers back on-line in less than seven days was earth shattering. Each person I worked with or communicated with at Progent was urgently focused on getting us working again and was working non-stop to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the most important elements that needed to be addressed to make it possible to restart departmental operations:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by halting the spread and cleaning up infected systems. Progent then started the process of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft Windows Server technology. Exchange email will not work without Active Directory, and the customerís financials and MRP system leveraged SQL Server, which requires Windows AD for security authorization to the database.

Within two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then helped perform setup and storage recovery on mission critical systems. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Data Files) on various PCs and laptops in order to recover email information. A recent off-line backup of the client's accounting/ERP systems made it possible to restore these vital programs back online. Although a lot of work was left to recover totally from the Ryuk event, the most important systems were restored quickly:


"For the most part, the production manufacturing operation showed little impact and we made all customer orders."

Over the next month critical milestones in the recovery project were accomplished through tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were 100 percent operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the user desktops and notebooks were back into operation.

"A huge amount of what was accomplished in the early hours is mostly a haze for me, but my team will not forget the urgency each of you put in to give us our business back. Iíve been working with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A likely business-killing disaster was averted due to dedicated professionals, a broad range of IT skills, and tight teamwork. Although upon completion of forensics the ransomware virus incident detailed here should have been stopped with advanced security systems and ISO/IEC 27001 best practices, team education, and well designed incident response procedures for backup and proper patching controls, the fact is that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we got over the initial push. All of you did an amazing job, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Brighton a range of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services incorporate modern AI capability to detect zero-day strains of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to address the entire threat progression including blocking, detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent's consultants can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows fast recovery of vital files, apps and VMs that have become unavailable or corrupted as a result of component failures, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced support to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, and PCI and, when needed, can assist you to recover your critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver web-based control and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and debug their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, locating devices that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so any potential problems can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Read more about ProSight IT Asset Management service.
For Brighton 24x7 Crypto-Ransomware Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.