Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyber pandemic that poses an existential danger for businesses unprepared for an attack. Different iterations of ransomware like the CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause harm. Newer strains of ransomware such as Ryuk and Hermes, plus frequent as yet unnamed viruses, not only encrypt on-line information but also infect many configured system restores and backups. Files synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can render automatic restoration impossible and basically knocks the network back to zero.

Getting back online applications and information after a ransomware intrusion becomes a sprint against the clock as the victim struggles to stop lateral movement and remove the ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are often sprung during nights and weekends, when successful attacks may take more time to discover. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.

Progent makes available a variety of solutions for securing enterprises from ransomware penetrations. These include team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with machine learning capabilities to quickly identify and disable day-zero cyber threats. Progent also offers the services of experienced ransomware recovery engineers with the skills and commitment to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the keys to unencrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the critical parts of your IT environment. Absent access to complete data backups, this requires a broad complement of skills, professional project management, and the capability to work continuously until the job is over.

For twenty years, Progent has made available professional IT services for businesses in Broomfield and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the ability to knowledgably determine critical systems and organize the remaining components of your computer network environment after a crypto-ransomware event and rebuild them into an operational system.

Progent's ransomware team deploys powerful project management tools to coordinate the complex restoration process. Progent understands the importance of acting swiftly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to get the most important systems back on line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Response
A business escalated to Progent after their network system was taken over by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean government sponsored cybercriminals, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk targets specific organizations with limited room for disruption and is among the most lucrative instances of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and hoping for good luck, but in the end engaged Progent.


"I cannot say enough in regards to the help Progent gave us during the most fearful time of (our) businesses existence. We would have paid the criminal gangs if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and critical applications back online in less than one week was something I thought impossible. Each consultant I worked with or e-mailed at Progent was amazingly focused on getting us operational and was working all day and night to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the essential elements that had to be restored to make it possible to resume departmental functions:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To begin, Progent followed Anti-virus penetration mitigation best practices by isolating and clearing infected systems. Progent then began the work of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the customerís MRP software used SQL Server, which requires Windows AD for authentication to the databases.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then completed setup and storage recovery of mission critical applications. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover mail information. A recent offline backup of the client's manufacturing systems made them able to return these vital services back online for users. Although significant work needed to be completed to recover completely from the Ryuk damage, essential services were recovered rapidly:


"For the most part, the production operation showed little impact and we delivered all customer orders."

During the next couple of weeks key milestones in the recovery project were made through close cooperation between Progent team members and the customer:

  • Internal web applications were restored with no loss of data.
  • The MailStore Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully operational.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the user desktops were operational.

"A huge amount of what was accomplished in the initial days is nearly entirely a blur for me, but my management will not forget the urgency each and every one of you accomplished to help get our company back. I have been working with Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This time was a life saver."

Conclusion
A possible business extinction catastrophe was dodged with dedicated experts, a wide range of IT skills, and tight collaboration. Although in hindsight the ransomware incident described here would have been blocked with current cyber security technology solutions and ISO/IEC 27001 best practices, user education, and well thought out security procedures for data protection and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get some sleep after we made it through the initial push. All of you did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Broomfield a variety of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate modern AI technology to detect new variants of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to manage the complete malware attack progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with legal and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent can also help your company to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates your backup processes and enables fast restoration of critical files, apps and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPPA, FIRPA, and PCI and, when necessary, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to deliver centralized control and world-class protection for your email traffic. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of analysis for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map, track, optimize and debug their networking appliances like routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent consultant so all looming problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the system is virtualized, it can be moved easily to a different hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about ProSight IT Asset Management service.
For 24-7 Broomfield Crypto Cleanup Help, call Progent at 800-993-9400 or go to Contact Progent.