Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses unprepared for an attack. Versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with daily unnamed viruses, not only do encryption of online information but also infect any configured system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can render any recovery hopeless and basically sets the datacenter back to square one.

Restoring applications and data after a ransomware intrusion becomes a race against the clock as the victim tries its best to contain the damage and remove the ransomware and to restore business-critical activity. Because ransomware needs time to move laterally, assaults are frequently sprung during nights and weekends, when successful attacks typically take more time to uncover. This multiplies the difficulty of quickly mobilizing and orchestrating a knowledgeable response team.

Progent offers a range of solutions for protecting organizations from ransomware attacks. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence technology to quickly discover and quarantine day-zero cyber threats. Progent also can provide the services of veteran ransomware recovery professionals with the track record and commitment to restore a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the codes to decrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the key components of your Information Technology environment. Absent access to essential system backups, this calls for a wide range of IT skills, well-coordinated team management, and the ability to work non-stop until the job is done.

For two decades, Progent has offered expert IT services for businesses in Denver and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of expertise provides Progent the capability to quickly ascertain necessary systems and organize the surviving parts of your Information Technology environment following a ransomware attack and rebuild them into an operational network.

Progent's ransomware group uses best of breed project management applications to coordinate the sophisticated recovery process. Progent understands the importance of working rapidly and together with a client's management and Information Technology team members to prioritize tasks and to put the most important systems back online as soon as possible.

Client Case Study: A Successful Ransomware Incident Response
A business hired Progent after their network was brought down by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, possibly using approaches leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little or no ability to sustain disruption and is among the most lucrative examples of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with about 500 employees. The Ryuk attack had frozen all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.


"I canít thank you enough about the support Progent gave us throughout the most critical time of (our) companyís existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent team afforded us. That you could get our messaging and important servers back on-line sooner than 1 week was beyond my wildest dreams. Every single consultant I spoke to or communicated with at Progent was hell bent on getting us back online and was working all day and night on our behalf."

Progent worked together with the client to quickly get our arms around and prioritize the key areas that had to be restored to make it possible to continue departmental functions:

  • Active Directory
  • Exchange Server
  • MRP System
To begin, Progent followed AV/Malware Processes incident response best practices by halting the spread and performing virus removal steps. Progent then began the task of rebuilding Microsoft AD, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the customerís accounting and MRP software leveraged SQL Server, which depends on Active Directory for authentication to the data.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery of critical applications. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find local OST data files (Outlook Offline Folder Files) on staff PCs in order to recover mail information. A not too old offline backup of the businesses financials/MRP software made it possible to recover these essential applications back on-line. Although a lot of work was left to recover fully from the Ryuk event, the most important services were recovered rapidly:


"For the most part, the production operation survived unscathed and we produced all customer sales."

Over the following month critical milestones in the restoration process were achieved in close cooperation between Progent consultants and the customer:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Exchange Server with over four million archived messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100 percent operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user PCs were being used by staff.

"Much of what happened in the early hours is nearly entirely a haze for me, but we will not forget the countless hours each and every one of you put in to give us our company back. Iíve entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A likely business catastrophe was dodged with hard-working professionals, a broad range of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus penetration described here should have been stopped with modern security systems and recognized best practices, user education, and well designed incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's team of professionals has proven experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thanks very much for letting me get some sleep after we got past the first week. All of you did an fabulous job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Denver a portfolio of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services include next-generation artificial intelligence technology to uncover zero-day variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the entire threat lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP environment that meets your company's specific requirements and that helps you prove compliance with legal and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent's consultants can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. For a low monthly price, ProSight DPS automates and monitors your backup activities and allows fast recovery of vital files, applications and VMs that have become unavailable or damaged as a result of hardware breakdowns, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, optimize and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration of almost all devices on your network, monitors performance, and sends notices when problems are detected. By automating complex management activities, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, locating appliances that require important updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management personnel and your Progent consultant so that all looming problems can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7 Denver Crypto Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.