Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that represents an extinction-level danger for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict harm. Recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as additional unnamed malware, not only encrypt online information but also infiltrate most available system protection mechanisms. Data replicated to cloud environments can also be corrupted. In a vulnerable data protection solution, this can make automatic restore operations hopeless and basically knocks the entire system back to zero.

Retrieving applications and information following a crypto-ransomware event becomes a sprint against time as the victim struggles to contain and cleanup the ransomware and to resume mission-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are usually sprung during nights and weekends, when successful attacks tend to take longer to notice. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.

Progent provides an assortment of solutions for securing enterprises from ransomware penetrations. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security solutions with artificial intelligence capabilities to rapidly identify and disable day-zero cyber attacks. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the talent and perseverance to reconstruct a breached environment as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the keys to unencrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the vital elements of your IT environment. Without the availability of essential system backups, this calls for a broad range of skill sets, top notch team management, and the capability to work non-stop until the job is over.

For twenty years, Progent has provided professional IT services for businesses in Columbus and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience affords Progent the capability to efficiently understand critical systems and consolidate the surviving pieces of your Information Technology environment following a ransomware event and configure them into an operational network.

Progent's recovery team deploys state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to get essential applications back online as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Intrusion Response
A business sought out Progent after their network was penetrated by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, possibly adopting technology exposed from the United States National Security Agency. Ryuk targets specific companies with little tolerance for disruption and is one of the most lucrative examples of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with about 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I canít speak enough about the support Progent gave us during the most critical period of (our) businesses life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. The fact that you were able to get our messaging and important applications back faster than five days was incredible. Each staff member I talked with or messaged at Progent was absolutely committed on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked with the customer to quickly get our arms around and prioritize the key systems that needed to be recovered in order to resume company operations:

  • Windows Active Directory
  • Email
  • MRP System
To begin, Progent adhered to AV/Malware Processes incident response best practices by halting lateral movement and removing active viruses. Progent then initiated the work of recovering Active Directory, the core of enterprise networks built on Microsoft Windows technology. Exchange email will not operate without Active Directory, and the customerís financials and MRP software leveraged Microsoft SQL, which depends on Windows AD for security authorization to the databases.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery of mission critical servers. All Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Off-Line Folder Files) on various workstations in order to recover mail information. A recent offline backup of the customerís financials/ERP systems made them able to return these vital applications back available to users. Although significant work was left to recover fully from the Ryuk damage, the most important services were returned to operations quickly:


"For the most part, the production operation survived unscathed and we delivered all customer deliverables."

Throughout the following few weeks key milestones in the restoration project were accomplished in tight collaboration between Progent team members and the client:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory functions were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the desktop computers were back into operation.

"Much of what happened during the initial response is mostly a fog for me, but I will not soon forget the dedication each and every one of you put in to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A potential company-ending disaster was avoided through the efforts of dedicated professionals, a wide spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here should have been blocked with modern security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out incident response procedures for information protection and applying software patches, the fact is that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for allowing me to get some sleep after we made it over the first week. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Columbus a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation AI capability to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a single platform to address the entire malware attack progression including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry information security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also assist your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates your backup activities and allows fast recovery of vital files, apps and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup specialists can deliver advanced expertise to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security companies to deliver web-based control and world-class security for all your inbound and outbound email. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of analysis for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and access points plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration of almost all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming network management activities, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating devices that require critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your Progent engineering consultant so any looming problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can save up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7/365 Columbus Crypto-Ransomware Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.