Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses poorly prepared for an attack. Different iterations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as additional as yet unnamed malware, not only do encryption of on-line data but also infect any accessible system protection. Information synched to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, it can make automated restore operations hopeless and basically sets the entire system back to zero.

Retrieving programs and data after a ransomware event becomes a sprint against time as the victim struggles to contain and clear the virus and to restore business-critical activity. Since crypto-ransomware takes time to move laterally, assaults are often sprung at night, when successful attacks in many cases take longer to detect. This multiplies the difficulty of promptly marshalling and coordinating a qualified response team.

Progent provides a range of solutions for securing organizations from ransomware penetrations. Among these are staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning capabilities to rapidly detect and extinguish zero-day threats. Progent also can provide the services of expert ransomware recovery professionals with the skills and commitment to re-deploy a compromised network as urgently as possible.

Progent's Ransomware Restoration Help
After a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed codes to unencrypt any of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the critical components of your Information Technology environment. Absent access to essential data backups, this calls for a wide range of IT skills, professional team management, and the ability to work non-stop until the job is done.

For twenty years, Progent has made available professional Information Technology services for businesses in Cleveland and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to knowledgably ascertain critical systems and consolidate the surviving pieces of your computer network environment after a ransomware attack and assemble them into a functioning network.

Progent's security group uses best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of acting swiftly and together with a customerís management and IT team members to assign priority to tasks and to put key services back on line as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Restoration
A business escalated to Progent after their organization was attacked by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored hackers, possibly using techniques leaked from Americaís National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is one of the most profitable incarnations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago and has about 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and praying for good luck, but in the end engaged Progent.


"I canít thank you enough in regards to the support Progent gave us during the most stressful period of (our) companyís existence. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group provided us. That you could get our e-mail and production servers back on-line quicker than five days was earth shattering. Every single person I worked with or e-mailed at Progent was absolutely committed on getting us back online and was working at all hours to bail us out."

Progent worked together with the customer to rapidly get our arms around and assign priority to the mission critical areas that needed to be addressed to make it possible to restart company operations:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To start, Progent adhered to AV/Malware Processes incident response industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the task of rebuilding Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the businessesí accounting and MRP applications leveraged SQL Server, which needs Windows AD for access to the data.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then performed rebuilding and hard drive recovery on essential systems. All Microsoft Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team PCs to recover mail data. A recent offline backup of the client's accounting/MRP software made them able to return these required services back online for users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, critical systems were restored rapidly:


"For the most part, the manufacturing operation was never shut down and we delivered all customer orders."

Throughout the following few weeks important milestones in the restoration process were completed in close cooperation between Progent engineers and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Exchange Server containing more than four million archived emails was brought online and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory functions were fully functional.
  • A new Palo Alto 850 security appliance was set up.
  • Ninety percent of the desktops and laptops were being used by staff.

"Much of what occurred that first week is nearly entirely a fog for me, but our team will not forget the care each and every one of your team put in to give us our business back. I have entrusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible business-ending disaster was avoided with dedicated professionals, a wide array of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware virus incident described here would have been identified and stopped with current security systems and NIST Cybersecurity Framework best practices, team training, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), Iím grateful for allowing me to get some sleep after we made it through the initial fire. All of you did an amazing job, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Cleveland a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize modern machine learning capability to uncover zero-day strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-based AV tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the entire malware attack lifecycle including filtering, identification, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with legal and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. For a low monthly rate, ProSight DPS automates your backup activities and allows rapid restoration of vital data, apps and VMs that have become unavailable or corrupted as a result of component breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can provide world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, when necessary, can help you to recover your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to provide centralized management and world-class security for your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, track, enhance and debug their connectivity hardware like routers, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept current, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding devices that need important updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by checking the state of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management staff and your Progent engineering consultant so all potential issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to a different hosting environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.
For Cleveland 24-7 Crypto Cleanup Consulting, contact Progent at 800-993-9400 or go to Contact Progent.