Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that presents an existential danger for organizations unprepared for an assault. Versions of ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause damage. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as more unnamed viruses, not only do encryption of online data files but also infiltrate any available system protection mechanisms. Information synchronized to cloud environments can also be rendered useless. In a poorly architected environment, this can render automated recovery useless and basically knocks the entire system back to square one.

Getting back online programs and information following a ransomware outage becomes a race against the clock as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to resume mission-critical activity. Because ransomware takes time to replicate, penetrations are often sprung on weekends and holidays, when penetrations may take more time to discover. This multiplies the difficulty of promptly marshalling and coordinating a knowledgeable mitigation team.

Progent has an assortment of services for securing businesses from ransomware attacks. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security solutions with machine learning technology to rapidly identify and quarantine new threats. Progent also can provide the services of experienced ransomware recovery engineers with the talent and perseverance to rebuild a compromised network as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the codes to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the essential parts of your IT environment. Without the availability of essential information backups, this calls for a wide complement of skill sets, top notch team management, and the ability to work 24x7 until the recovery project is completed.

For decades, Progent has provided professional IT services for businesses in Charlotte and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise affords Progent the ability to rapidly identify important systems and integrate the surviving parts of your computer network system following a ransomware event and rebuild them into a functioning system.

Progent's security group utilizes state-of-the-art project management applications to orchestrate the complicated recovery process. Progent understands the importance of working rapidly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put key services back online as fast as possible.

Case Study: A Successful Ransomware Incident Restoration
A customer engaged Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state hackers, suspected of adopting techniques leaked from the United States NSA organization. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most lucrative versions of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with around 500 employees. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end brought in Progent.


"I canít thank you enough in regards to the help Progent provided us throughout the most stressful period of (our) companyís life. We may have had to pay the cybercriminals if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and critical applications back into operation in less than five days was incredible. Each consultant I spoke to or messaged at Progent was absolutely committed on getting us restored and was working all day and night on our behalf."

Progent worked hand in hand the customer to quickly identify and assign priority to the essential areas that needed to be restored to make it possible to continue departmental operations:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and removing active viruses. Progent then started the process of rebuilding Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not function without AD, and the businessesí financials and MRP software utilized Microsoft SQL Server, which requires Active Directory for authentication to the data.

In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then initiated rebuilding and storage recovery on essential servers. All Exchange Server schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Offline Folder Files) on user PCs and laptops in order to recover mail information. A not too old offline backup of the customerís financials/ERP systems made it possible to restore these essential services back online for users. Although major work remained to recover completely from the Ryuk event, the most important services were recovered rapidly:


"For the most part, the production operation was never shut down and we did not miss any customer orders."

Over the following couple of weeks important milestones in the restoration process were made through close collaboration between Progent consultants and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory Control modules were completely functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • Most of the desktop computers were fully operational.

"Much of what occurred that first week is nearly entirely a haze for me, but I will not forget the countless hours each of the team accomplished to give us our business back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered. This situation was a Herculean accomplishment."

Conclusion
A potential business-ending catastrophe was avoided due to dedicated professionals, a broad spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident described here should have been blocked with current cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thank you for letting me get some sleep after we made it through the most critical parts. Everyone did an amazing job, and if anyone is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Charlotte a range of online monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence capability to uncover zero-day variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the complete malware attack progression including filtering, detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your organization's unique requirements and that allows you demonstrate compliance with government and industry data security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates your backup activities and allows rapid restoration of vital data, applications and virtual machines that have become unavailable or damaged as a result of component failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight DPS to to comply with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security companies to provide web-based management and world-class protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, optimize and debug their connectivity hardware like routers, firewalls, and access points as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, copies and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating appliances that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT personnel and your Progent consultant so that any potential issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate as much as half of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Charlotte Crypto Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.