Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that represents an enterprise-level danger for businesses vulnerable to an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause damage. More recent variants of crypto-ransomware such as Ryuk and Hermes, as well as additional unnamed malware, not only do encryption of on-line data files but also infect many configured system backups. Information replicated to the cloud can also be corrupted. In a poorly architected system, this can render automatic recovery useless and basically sets the entire system back to zero.

Restoring applications and data after a crypto-ransomware outage becomes a sprint against time as the victim fights to contain and clear the crypto-ransomware and to restore mission-critical operations. Since crypto-ransomware takes time to spread, assaults are usually sprung on weekends, when penetrations tend to take more time to uncover. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable response team.

Progent provides a variety of help services for securing enterprises from ransomware penetrations. Among these are user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with AI technology to rapidly discover and suppress zero-day cyber attacks. Progent also offers the services of expert ransomware recovery engineers with the track record and commitment to restore a breached system as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will return the keys to decrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Absent access to essential system backups, this calls for a wide complement of skills, top notch project management, and the capability to work continuously until the job is finished.

For two decades, Progent has offered professional Information Technology services for businesses in Milwaukee and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise affords Progent the ability to efficiently determine important systems and integrate the surviving parts of your IT environment following a ransomware penetration and assemble them into a functioning system.

Progent's recovery team utilizes powerful project management tools to coordinate the complicated restoration process. Progent understands the importance of working rapidly and in concert with a client's management and IT team members to assign priority to tasks and to put the most important services back online as soon as humanly possible.

Case Study: A Successful Ransomware Virus Recovery
A client engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored cybercriminals, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is among the most profitable versions of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area with around 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than $200,000) and praying for good luck, but ultimately called Progent.


"I canít thank you enough about the support Progent gave us throughout the most stressful period of (our) companyís survival. We may have had to pay the cybercriminals if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and essential servers back online in less than seven days was earth shattering. Every single consultant I interacted with or messaged at Progent was urgently focused on getting us back on-line and was working at all hours on our behalf."

Progent worked hand in hand the client to rapidly determine and prioritize the key systems that had to be recovered to make it possible to restart business operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent followed ransomware event response best practices by isolating and performing virus removal steps. Progent then began the process of restoring Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the client's MRP software leveraged Microsoft SQL Server, which needs Active Directory for access to the databases.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then accomplished setup and storage recovery on key servers. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on staff workstations to recover mail messages. A recent off-line backup of the customerís manufacturing systems made it possible to recover these required services back online for users. Although major work was left to recover fully from the Ryuk event, core services were recovered rapidly:


"For the most part, the production operation ran fairly normal throughout and we did not miss any customer orders."

During the next month critical milestones in the restoration process were made in tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were completely functional.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the user PCs were operational.

"So much of what was accomplished those first few days is nearly entirely a blur for me, but our team will not soon forget the care each of you put in to help get our company back. Iíve been working with Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A probable business-ending disaster was dodged through the efforts of top-tier experts, a broad range of technical expertise, and close teamwork. Although in post mortem the crypto-ransomware incident described here would have been shut down with current cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thanks very much for letting me get rested after we made it over the first week. Everyone did an amazing effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Milwaukee a range of online monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services utilize modern AI capability to uncover zero-day variants of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based AV products. ProSight ASM protects local and cloud resources and offers a unified platform to address the entire threat lifecycle including blocking, identification, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you prove compliance with government and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of critical files, apps and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR specialists can deliver advanced support to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, when needed, can help you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security companies to deliver web-based control and world-class security for your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are always current, captures and manages the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding appliances that need important software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your network running efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT personnel and your assigned Progent consultant so that all looming problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Milwaukee 24x7 Ransomware Recovery Help, reach out to Progent at 800-993-9400 or go to Contact Progent.