Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that poses an existential danger for businesses unprepared for an attack. Different iterations of ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict harm. Newer strains of ransomware like Ryuk and Hermes, as well as additional unnamed viruses, not only encrypt online critical data but also infect many accessible system protection mechanisms. Files replicated to the cloud can also be encrypted. In a poorly architected environment, this can render automated restore operations useless and effectively sets the network back to square one.

Retrieving services and information following a ransomware intrusion becomes a race against the clock as the targeted business fights to stop lateral movement and eradicate the crypto-ransomware and to restore mission-critical activity. Since ransomware takes time to move laterally, assaults are frequently launched on weekends, when penetrations are likely to take more time to notice. This compounds the difficulty of promptly marshalling and organizing a capable response team.

Progent has a range of services for protecting enterprises from ransomware attacks. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with AI capabilities to rapidly discover and suppress zero-day threats. Progent in addition provides the services of expert crypto-ransomware recovery consultants with the talent and perseverance to restore a compromised network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the keys to decipher all your files. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the vital parts of your Information Technology environment. Without the availability of full information backups, this calls for a broad range of skill sets, professional project management, and the ability to work 24x7 until the recovery project is over.

For twenty years, Progent has provided certified expert IT services for companies in Corpus Christi and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the ability to knowledgably ascertain necessary systems and integrate the surviving components of your computer network environment following a ransomware event and configure them into a functioning network.

Progent's security team has best of breed project management tools to coordinate the complicated recovery process. Progent appreciates the urgency of acting rapidly and in unison with a customerís management and IT resources to assign priority to tasks and to get the most important services back on-line as fast as humanly possible.

Client Story: A Successful Ransomware Virus Response
A client sought out Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, possibly using approaches leaked from Americaís National Security Agency. Ryuk goes after specific businesses with little ability to sustain disruption and is one of the most profitable examples of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago and has about 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were damaged. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but ultimately brought in Progent.


"I cannot speak enough in regards to the expertise Progent provided us during the most stressful period of (our) businesses life. We had little choice but to pay the cybercriminals except for the confidence the Progent experts provided us. The fact that you could get our e-mail system and critical applications back on-line in less than 1 week was earth shattering. Each staff member I worked with or e-mailed at Progent was absolutely committed on getting us back on-line and was working day and night to bail us out."

Progent worked hand in hand the customer to rapidly determine and assign priority to the critical services that needed to be restored to make it possible to continue business functions:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent followed ransomware penetration mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the task of bringing back online Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the customerís MRP applications utilized SQL Server, which needs Active Directory for access to the information.

In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then accomplished rebuilding and storage recovery on essential applications. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Offline Data Files) on team desktop computers to recover mail information. A not too old offline backup of the client's financials/ERP software made it possible to restore these essential applications back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk attack, core services were recovered rapidly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer deliverables."

During the next few weeks key milestones in the restoration project were completed in close cooperation between Progent engineers and the client:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory functions were 100 percent restored.
  • A new Palo Alto 850 firewall was installed.
  • Most of the user desktops were fully operational.

"So much of what occurred in the early hours is nearly entirely a blur for me, but I will not forget the countless hours each of you put in to give us our company back. I have been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible business-killing catastrophe was avoided with dedicated experts, a broad range of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware incident detailed here could have been shut down with modern cyber security technology solutions and best practices, user and IT administrator training, and well designed incident response procedures for data protection and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, removal, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get some sleep after we got over the first week. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Corpus Christi a portfolio of remote monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning technology to detect zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the complete malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering via leading-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with legal and industry information security regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and allows fast restoration of vital data, apps and VMs that have become unavailable or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security companies to provide web-based management and world-class protection for all your email traffic. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding devices that need critical software patches, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT personnel and your Progent consultant so all looming problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Corpus Christi 24/7 Ransomware Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.