Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses of all sizes poorly prepared for an assault. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause harm. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as additional unnamed malware, not only encrypt on-line critical data but also infect all configured system backups. Information replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can render automated restoration useless and basically knocks the network back to zero.

Getting back services and information after a ransomware intrusion becomes a sprint against the clock as the targeted business fights to stop the spread and remove the crypto-ransomware and to restore business-critical activity. Due to the fact that ransomware takes time to spread, penetrations are usually launched on weekends and holidays, when attacks tend to take more time to notice. This compounds the difficulty of promptly marshalling and orchestrating an experienced response team.

Progent offers an assortment of support services for securing enterprises from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with artificial intelligence technology to automatically identify and suppress day-zero threats. Progent also provides the assistance of experienced ransomware recovery engineers with the talent and commitment to reconstruct a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Following a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will return the needed keys to decrypt all your information. Kaspersky ascertained that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the critical elements of your Information Technology environment. Without the availability of complete system backups, this requires a broad complement of skill sets, top notch project management, and the willingness to work continuously until the job is over.

For two decades, Progent has made available professional Information Technology services for businesses in Barra da Tijuca and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of experience provides Progent the skills to quickly understand necessary systems and re-organize the remaining components of your IT system following a crypto-ransomware event and configure them into a functioning network.

Progent's recovery group deploys powerful project management applications to orchestrate the complicated restoration process. Progent understands the importance of acting rapidly and together with a customer’s management and Information Technology resources to assign priority to tasks and to put critical services back on-line as soon as possible.

Case Study: A Successful Ransomware Attack Recovery
A customer engaged Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state hackers, suspected of adopting algorithms exposed from the U.S. NSA organization. Ryuk goes after specific companies with little room for operational disruption and is one of the most lucrative iterations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the attack and were destroyed. The client considered paying the ransom demand (more than $200K) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I can’t speak enough in regards to the expertise Progent gave us throughout the most stressful time of (our) businesses existence. We may have had to pay the cybercriminals if not for the confidence the Progent experts provided us. The fact that you could get our e-mail and important applications back online faster than five days was beyond my wildest dreams. Each person I interacted with or texted at Progent was totally committed on getting us restored and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the most important areas that had to be recovered to make it possible to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent adhered to ransomware penetration mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then began the work of restoring Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not function without AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which requires Active Directory for authentication to the data.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery of mission critical applications. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Data Files) on staff PCs to recover email data. A not too old offline backup of the client's manufacturing software made it possible to restore these essential services back servicing users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core services were recovered quickly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer orders."

Throughout the next month critical milestones in the recovery project were accomplished in close cooperation between Progent engineers and the customer:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Exchange Server exceeding four million historical messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory functions were 100% functional.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the user workstations were fully operational.

"A lot of what went on during the initial response is mostly a blur for me, but I will not forget the care each of your team put in to give us our business back. I’ve utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."

Conclusion
A likely business-ending disaster was evaded due to dedicated experts, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware virus incident described here should have been blocked with modern security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for backup and proper patching controls, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thank you for making it so I could get some sleep after we got over the most critical parts. All of you did an amazing effort, and if anyone is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Barra da Tijuca a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize modern AI capability to detect new strains of crypto-ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the complete threat progression including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also help your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup software providers to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup operations and allow transparent backup and fast restoration of vital files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent’s ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, optimize and debug their networking appliances like routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding devices that need important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your network running efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management staff and your Progent consultant so that any potential issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you’re planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior analysis tools to defend endpoints and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to automate the complete threat progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Call Center services permit your information technology team to outsource Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal network support group and Progent's extensive pool of certified IT support engineers and subject matter experts (SBEs). Progent's Co-managed Service Desk offers a seamless supplement to your core support organization. End user access to the Help Desk, delivery of technical assistance, issue escalation, ticket generation and updates, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your in-house IT support group, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information network. In addition to optimizing the security and reliability of your IT environment, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic projects and tasks that deliver the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with iOS, Android, and other out-of-band devices. Using Duo 2FA, when you sign into a protected online account and give your password you are asked to confirm your identity on a unit that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be utilized for this added form of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple verification devices. To find out more about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24-Hour Barra da Tijuca Crypto-Ransomware Recovery Support Services, call Progent at 800-462-8800 or go to Contact Progent.