Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware Remediation ProfessionalsRansomware has become an escalating cyberplague that represents an extinction-level danger for organizations unprepared for an assault. Versions of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as more unnamed malware, not only do encryption of on-line data files but also infiltrate many configured system restores and backups. Files synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, it can make automated restore operations hopeless and basically sets the network back to zero.

Getting back applications and information following a crypto-ransomware event becomes a sprint against the clock as the victim tries its best to stop the spread and remove the ransomware and to resume mission-critical activity. Since ransomware takes time to replicate, assaults are often launched during nights and weekends, when penetrations may take more time to identify. This compounds the difficulty of rapidly mobilizing and organizing an experienced mitigation team.

Progent provides an assortment of services for protecting businesses from crypto-ransomware attacks. Among these are user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security gateways with artificial intelligence capabilities to rapidly detect and suppress new threats. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the talent and perseverance to restore a compromised network as quickly as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the essential elements of your Information Technology environment. Absent access to essential system backups, this requires a wide complement of skills, professional project management, and the ability to work continuously until the task is over.

For two decades, Progent has offered certified expert Information Technology services for companies in Cambridge and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the skills to quickly understand critical systems and consolidate the surviving parts of your IT system after a ransomware penetration and configure them into an operational system.

Progent's ransomware group has state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the importance of acting quickly and together with a client's management and Information Technology staff to prioritize tasks and to put the most important applications back online as fast as humanly possible.

Client Story: A Successful Ransomware Intrusion Response
A business hired Progent after their company was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of using approaches exposed from the United States NSA organization. Ryuk goes after specific companies with little tolerance for operational disruption and is one of the most profitable iterations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has about 500 workers. The Ryuk penetration had disabled all business operations and manufacturing processes. The majority of the client's information backups had been online at the start of the intrusion and were encrypted. The client considered paying the ransom (exceeding $200,000) and hoping for good luck, but in the end engaged Progent.

"I cannot thank you enough about the expertise Progent provided us throughout the most critical period of (our) businesses existence. We would have paid the cyber criminals except for the confidence the Progent group provided us. The fact that you could get our e-mail system and key servers back faster than a week was earth shattering. Every single consultant I got help from or texted at Progent was totally committed on getting us restored and was working non-stop to bail us out."

Progent worked together with the client to quickly determine and assign priority to the most important services that had to be recovered to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to Anti-virus penetration response industry best practices by halting lateral movement and performing virus removal steps. Progent then began the task of bringing back online Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange email will not function without AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for security authorization to the database.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery on critical systems. All Exchange ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Outlook Offline Data Files) on various desktop computers and laptops in order to recover email information. A not too old offline backup of the client's manufacturing systems made them able to restore these required programs back online for users. Although major work needed to be completed to recover fully from the Ryuk damage, the most important systems were restored rapidly:

"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer shipments."

Over the following month critical milestones in the restoration project were achieved through close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million archived emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were 100% operational.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user desktops and notebooks were fully operational.
"A lot of what occurred during the initial response is mostly a fog for me, but my team will not soon forget the commitment each of your team put in to help get our business back. I have trusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This situation was a testament to your capabilities."

Conclusion
A likely business catastrophe was dodged by results-oriented experts, a wide spectrum of IT skills, and close teamwork. Although in retrospect the crypto-ransomware virus penetration described here would have been identified and blocked with advanced security technology and ISO/IEC 27001 best practices, user education, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has a proven track record in ransomware virus defense, cleanup, and information systems disaster recovery.

"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we got through the first week. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Cambridge a variety of online monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize modern machine learning capability to detect new strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching AV products. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to manage the complete malware attack progression including blocking, identification, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of vital data, applications and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight DPS to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to deliver centralized control and world-class protection for all your email traffic. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent’s ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, optimize and debug their connectivity appliances like switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent’s server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you’re planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.
For Cambridge 24/7 Crypto-Ransomware Recovery Services, reach out to Progent at 800-993-9400 or go to Contact Progent.