Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that presents an enterprise-level danger for businesses vulnerable to an attack. Different versions of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still inflict damage. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, plus additional unnamed newcomers, not only encrypt online data files but also infect any configured system protection mechanisms. Data replicated to the cloud can also be corrupted. In a vulnerable system, it can render automated restore operations useless and basically knocks the datacenter back to zero.

Getting back services and information after a crypto-ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and cleanup the virus and to resume mission-critical operations. Since crypto-ransomware needs time to move laterally, assaults are frequently launched during weekends and nights, when successful attacks in many cases take longer to uncover. This multiplies the difficulty of quickly mobilizing and organizing a qualified mitigation team.

Progent has an assortment of help services for securing organizations from ransomware penetrations. These include staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with artificial intelligence capabilities to automatically identify and disable zero-day cyber attacks. Progent also provides the services of expert ransomware recovery engineers with the skills and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the key elements of your IT environment. Absent the availability of complete system backups, this calls for a broad range of skills, top notch project management, and the willingness to work 24x7 until the recovery project is over.

For twenty years, Progent has offered professional Information Technology services for companies in Chattanooga and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise affords Progent the capability to knowledgably understand important systems and re-organize the remaining parts of your network system following a ransomware attack and rebuild them into a functioning system.

Progent's security team of experts utilizes best of breed project management tools to coordinate the complicated recovery process. Progent knows the urgency of working rapidly and in unison with a client's management and IT team members to prioritize tasks and to put essential applications back online as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Attack Response
A small business escalated to Progent after their company was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, suspected of using approaches leaked from the United States NSA organization. Ryuk goes after specific businesses with little tolerance for disruption and is one of the most profitable versions of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with about 500 workers. The Ryuk penetration had disabled all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end brought in Progent.


"I canít say enough about the support Progent gave us during the most critical time of (our) companyís existence. We would have paid the cyber criminals if not for the confidence the Progent team gave us. That you were able to get our e-mail and critical applications back on-line sooner than 1 week was beyond my wildest dreams. Every single consultant I worked with or communicated with at Progent was absolutely committed on getting us working again and was working 24 by 7 on our behalf."

Progent worked with the customer to quickly get our arms around and prioritize the mission critical services that needed to be addressed in order to resume departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping the spread and disinfecting systems. Progent then began the steps of recovering Windows Active Directory, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí MRP applications leveraged SQL Server, which requires Active Directory for security authorization to the database.

Within two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery of key applications. All Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Offline Data Files) on team desktop computers in order to recover mail data. A not too old offline backup of the customerís financials/MRP systems made them able to recover these required services back servicing users. Although a lot of work was left to recover fully from the Ryuk attack, the most important services were recovered rapidly:


"For the most part, the production operation survived unscathed and we made all customer deliverables."

Throughout the next couple of weeks key milestones in the restoration project were made in tight cooperation between Progent team members and the customer:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Server exceeding 4 million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were completely restored.
  • A new Palo Alto 850 security appliance was installed.
  • Ninety percent of the user desktops were operational.

"A huge amount of what transpired in the early hours is nearly entirely a fog for me, but my team will not soon forget the care each of your team accomplished to help get our company back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has shined and delivered. This event was a Herculean accomplishment."

Conclusion
A probable company-ending catastrophe was dodged through the efforts of results-oriented experts, a broad array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware penetration described here could have been identified and stopped with advanced cyber security solutions and recognized best practices, user training, and appropriate security procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we got over the initial push. Everyone did an incredible effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Chattanooga a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to detect new strains of crypto-ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to manage the entire malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of critical files, apps and VMs that have become unavailable or corrupted as a result of hardware failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver web-based management and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper level of analysis for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, copies and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating complex management processes, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding devices that need critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT staff and your assigned Progent engineering consultant so any looming issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7 Chattanooga Crypto Recovery Help, contact Progent at 800-993-9400 or go to Contact Progent.