Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with daily as yet unnamed newcomers, not only encrypt on-line critical data but also infect most configured system protection. Information replicated to cloud environments can also be ransomed. In a poorly designed data protection solution, this can render any recovery useless and effectively sets the datacenter back to zero.

Getting back on-line programs and information after a ransomware attack becomes a race against the clock as the targeted business struggles to contain the damage and cleanup the virus and to resume mission-critical operations. Because crypto-ransomware needs time to move laterally, attacks are usually sprung during weekends and nights, when successful attacks are likely to take more time to uncover. This compounds the difficulty of quickly mobilizing and organizing an experienced response team.

Progent provides an assortment of solutions for protecting organizations from ransomware attacks. These include team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security solutions with machine learning capabilities to intelligently detect and disable day-zero threats. Progent in addition offers the assistance of expert ransomware recovery consultants with the talent and perseverance to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Services
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the codes to decipher all your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the essential components of your Information Technology environment. Absent the availability of full data backups, this calls for a broad complement of skill sets, professional team management, and the ability to work continuously until the recovery project is completed.

For twenty years, Progent has made available professional Information Technology services for businesses in Cabo Frio and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise gives Progent the skills to rapidly understand important systems and organize the remaining components of your IT environment after a ransomware event and rebuild them into a functioning network.

Progent's ransomware team of experts has powerful project management applications to orchestrate the sophisticated recovery process. Progent knows the urgency of acting rapidly and in unison with a client's management and IT staff to assign priority to tasks and to put essential systems back on-line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business engaged Progent after their network system was crashed by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored hackers, possibly adopting techniques exposed from the United States NSA organization. Ryuk targets specific organizations with little or no ability to sustain disruption and is one of the most profitable iterations of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago and has around 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end utilized Progent.


"I canít tell you enough about the support Progent provided us throughout the most critical time of (our) companyís life. We had little choice but to pay the hackers behind this attack except for the confidence the Progent group afforded us. The fact that you were able to get our e-mail and essential servers back on-line faster than one week was earth shattering. Each consultant I worked with or texted at Progent was urgently focused on getting our company operational and was working day and night to bail us out."

Progent worked hand in hand the client to rapidly assess and assign priority to the critical areas that needed to be restored to make it possible to continue company functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware event response best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the task of restoring Microsoft AD, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the client's accounting and MRP applications leveraged SQL Server, which requires Active Directory for authentication to the databases.

Within two days, Progent was able to restore Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery on essential systems. All Exchange data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST data files (Outlook Email Offline Data Files) on staff PCs in order to recover email messages. A recent off-line backup of the businesses accounting software made it possible to return these required programs back on-line. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, core services were restored quickly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer orders."

Over the next couple of weeks key milestones in the recovery process were achieved through tight cooperation between Progent team members and the customer:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server containing more than four million historical messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100 percent recovered.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the user desktops and notebooks were operational.

"So much of what went on that first week is mostly a haze for me, but my team will not soon forget the urgency each of you accomplished to help get our company back. I have entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A possible business-killing disaster was avoided through the efforts of dedicated professionals, a wide spectrum of knowledge, and close teamwork. Although in hindsight the crypto-ransomware incident described here could have been identified and stopped with modern security solutions and recognized best practices, staff training, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get rested after we got over the initial push. All of you did an amazing job, and if anyone is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Cabo Frio a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified control. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with legal and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also help your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical files, apps and VMs that have become unavailable or corrupted due to component breakdowns, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to set up ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to provide web-based management and world-class protection for all your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of inspection for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their networking hardware like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are kept current, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, finding appliances that require critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network running efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so all looming problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save up to half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Cabo Frio Ransomware Remediation Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.