Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and still cause destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as daily unnamed viruses, not only do encryption of on-line data files but also infiltrate most configured system backups. Information synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can make automated restoration hopeless and effectively sets the network back to square one.

Getting back services and data after a ransomware attack becomes a race against time as the targeted business tries its best to contain the damage and cleanup the crypto-ransomware and to restore enterprise-critical activity. Since ransomware needs time to replicate, assaults are frequently sprung on weekends, when penetrations are likely to take more time to notice. This multiplies the difficulty of quickly marshalling and orchestrating an experienced mitigation team.

Progent provides a range of help services for securing businesses from crypto-ransomware attacks. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with artificial intelligence capabilities to automatically identify and disable day-zero threats. Progent in addition provides the assistance of seasoned crypto-ransomware recovery consultants with the talent and commitment to rebuild a breached environment as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed keys to decrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the critical parts of your IT environment. Absent access to essential data backups, this requires a broad range of skills, professional team management, and the ability to work 24x7 until the task is over.

For two decades, Progent has made available professional Information Technology services for businesses in Cleveland and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience gives Progent the capability to rapidly understand critical systems and organize the remaining components of your Information Technology environment following a ransomware attack and rebuild them into a functioning network.

Progent's security team uses best of breed project management tools to orchestrate the complex recovery process. Progent knows the importance of working swiftly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to put the most important applications back on line as soon as possible.

Business Case Study: A Successful Ransomware Virus Recovery
A small business contacted Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, possibly adopting approaches leaked from Americaís National Security Agency. Ryuk targets specific businesses with limited ability to sustain operational disruption and is among the most profitable iterations of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has about 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing processes. Most of the client's data protection had been directly accessible at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.


"I canít speak enough about the help Progent gave us throughout the most critical period of (our) companyís life. We may have had to pay the hackers behind this attack except for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and important applications back into operation faster than 1 week was earth shattering. Every single expert I talked with or e-mailed at Progent was amazingly focused on getting us back online and was working non-stop to bail us out."

Progent worked with the client to rapidly understand and prioritize the critical applications that had to be restored to make it possible to resume departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes penetration response best practices by stopping the spread and removing active viruses. Progent then initiated the steps of bringing back online Microsoft AD, the heart of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the customerís financials and MRP applications utilized Microsoft SQL, which requires Active Directory services for security authorization to the data.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery of critical servers. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Data Files) on team workstations and laptops to recover mail information. A recent offline backup of the customerís manufacturing systems made it possible to restore these vital applications back online for users. Although significant work was left to recover fully from the Ryuk attack, critical services were recovered quickly:


"For the most part, the production line operation never missed a beat and we did not miss any customer sales."

Throughout the next month important milestones in the recovery process were completed in close cooperation between Progent engineers and the customer:

  • Internal web sites were restored without losing any data.
  • The MailStore Exchange Server containing more than four million historical messages was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/AP/AR/Inventory capabilities were 100% recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the user desktops and notebooks were being used by staff.

"So much of what occurred in the initial days is mostly a haze for me, but our team will not forget the urgency each and every one of you accomplished to help get our company back. Iíve been working together with Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible company-ending disaster was dodged through the efforts of hard-working experts, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus incident detailed here could have been stopped with modern security technology and NIST Cybersecurity Framework best practices, user training, and appropriate security procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for making it so I could get rested after we got through the first week. Everyone did an amazing effort, and if any of your team is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Cleveland a range of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation AI capability to detect new strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent's consultants can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates and monitors your backup activities and enables rapid recovery of vital data, apps and virtual machines that have become unavailable or damaged due to hardware failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide world-class support to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to deliver web-based control and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their networking hardware like routers and switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating tedious management activities, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding devices that require important updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management staff and your Progent consultant so all looming problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about ProSight IT Asset Management service.
For Cleveland 24x7 Crypto Repair Consultants, call Progent at 800-993-9400 or go to Contact Progent.