Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for organizations unprepared for an attack. Versions of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause harm. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with more unnamed newcomers, not only encrypt online data files but also infect many configured system protection. Information synched to the cloud can also be ransomed. In a vulnerable data protection solution, this can make any recovery hopeless and basically knocks the network back to zero.

Recovering applications and data after a ransomware event becomes a sprint against time as the targeted organization struggles to contain the damage and clear the crypto-ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to replicate, assaults are often launched during weekends and nights, when attacks typically take more time to notice. This multiplies the difficulty of rapidly assembling and orchestrating an experienced mitigation team.

Progent offers a variety of services for securing enterprises from crypto-ransomware attacks. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with AI capabilities from SentinelOne to detect and quarantine new cyber threats rapidly. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the skills and commitment to rebuild a breached system as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, paying the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the keys to unencrypt any of your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the key elements of your IT environment. Absent access to essential system backups, this requires a wide complement of IT skills, well-coordinated project management, and the capability to work continuously until the job is done.

For two decades, Progent has offered expert Information Technology services for businesses in Chattanooga and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise provides Progent the ability to quickly determine necessary systems and consolidate the surviving components of your IT system following a crypto-ransomware penetration and configure them into a functioning network.

Progent's ransomware team utilizes top notch project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of acting rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to put critical services back on-line as soon as humanly possible.

Business Case Study: A Successful Ransomware Penetration Response
A small business escalated to Progent after their organization was crashed by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using approaches exposed from America�s National Security Agency. Ryuk attacks specific businesses with little tolerance for disruption and is among the most lucrative instances of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (in excess of $200,000) and hoping for good luck, but ultimately brought in Progent.


"I cannot speak enough in regards to the expertise Progent gave us throughout the most critical period of (our) company�s existence. We most likely would have paid the cyber criminals behind the attack if it wasn�t for the confidence the Progent experts provided us. That you were able to get our messaging and essential servers back in less than seven days was incredible. Each expert I got help from or texted at Progent was hell bent on getting our company operational and was working 24/7 on our behalf."

Progent worked with the customer to rapidly determine and assign priority to the essential elements that had to be recovered in order to resume company functions:

  • Active Directory
  • Electronic Messaging
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes event mitigation industry best practices by isolating and disinfecting systems. Progent then initiated the task of rebuilding Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without AD, and the businesses� financials and MRP applications leveraged Microsoft SQL Server, which needs Active Directory for authentication to the data.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then performed setup and hard drive recovery on the most important servers. All Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Folder Files) on user desktop computers and laptops to recover email messages. A recent off-line backup of the customer�s accounting/ERP software made them able to restore these required services back available to users. Although major work was left to recover totally from the Ryuk damage, essential services were returned to operations quickly:


"For the most part, the production manufacturing operation survived unscathed and we produced all customer shipments."

Throughout the following few weeks important milestones in the restoration project were made through tight collaboration between Progent consultants and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Server with over 4 million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Ninety percent of the user workstations were functioning as before the incident.

"Much of what went on during the initial response is mostly a haze for me, but we will not forget the dedication each of your team accomplished to help get our company back. I have been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was a life saver."

Conclusion
A possible company-ending disaster was averted with top-tier experts, a broad range of knowledge, and close collaboration. Although in retrospect the ransomware penetration described here would have been blocked with modern cyber security systems and best practices, user and IT administrator training, and well designed incident response procedures for data backup and proper patching controls, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for making it so I could get some sleep after we made it past the first week. All of you did an incredible effort, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Chattanooga a range of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services include next-generation machine learning capability to uncover new variants of crypto-ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the complete threat progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies incorporated within one agent managed from a single control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also assist your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services, a portfolio of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable transparent backup and rapid recovery of important files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from hardware failures, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security companies to deliver centralized control and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a further level of analysis for inbound email. For outbound email, the local security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email that stays within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, reconfigure and debug their connectivity hardware like routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system running efficiently by tracking the health of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT personnel and your Progent consultant so that any potential problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior machine learning technology to guard endpoints as well as physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. Progent ASM services protect local and cloud resources and offers a single platform to automate the complete threat lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Help Center managed services enable your information technology group to outsource Support Desk services to Progent or divide activity for support services transparently between your in-house support team and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth supplement to your internal support organization. Client interaction with the Help Desk, delivery of technical assistance, issue escalation, trouble ticket creation and tracking, performance metrics, and management of the service database are consistent whether incidents are resolved by your core support staff, by Progent's team, or both. Learn more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of any size a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and documenting updates to your dynamic information system. In addition to maximizing the protection and reliability of your IT environment, Progent's patch management services permit your in-house IT team to focus on line-of-business projects and tasks that deliver the highest business value from your network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you log into a secured application and give your password you are asked to verify your identity on a device that only you possess and that is accessed using a separate network channel. A wide selection of devices can be utilized for this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several verification devices. For more information about Duo identity authentication services, see Cisco Duo MFA two-factor authentication services.
For Chattanooga 24/7 Crypto-Ransomware Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.