Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Newer strains of ransomware such as Ryuk and Hermes, as well as daily unnamed malware, not only do encryption of online data but also infiltrate all configured system protection. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, it can make automatic restoration useless and basically knocks the entire system back to square one.

Getting back applications and data following a crypto-ransomware intrusion becomes a sprint against the clock as the victim fights to stop the spread and clear the virus and to restore mission-critical activity. Since ransomware takes time to move laterally, attacks are usually launched on weekends, when successful penetrations in many cases take more time to recognize. This multiplies the difficulty of promptly mobilizing and coordinating an experienced response team.

Progent offers a range of services for securing organizations from crypto-ransomware penetrations. These include team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security appliances with artificial intelligence capabilities to quickly detect and suppress new cyber attacks. Progent also can provide the assistance of seasoned ransomware recovery consultants with the track record and commitment to rebuild a breached system as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Following a ransomware event, even paying the ransom in cryptocurrency does not ensure that cyber criminals will respond with the codes to unencrypt any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the critical parts of your IT environment. Without access to full system backups, this calls for a wide complement of skill sets, well-coordinated team management, and the ability to work non-stop until the task is over.

For two decades, Progent has offered expert Information Technology services for companies in Oakland and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience affords Progent the ability to knowledgably identify necessary systems and re-organize the surviving parts of your IT system after a crypto-ransomware event and configure them into an operational network.

Progent's recovery group has top notch project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of working swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put key systems back on line as fast as possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A client contacted Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, possibly adopting algorithms exposed from Americaís NSA organization. Ryuk goes after specific organizations with limited ability to sustain operational disruption and is among the most profitable instances of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with around 500 workers. The Ryuk penetration had disabled all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.


"I canít thank you enough in regards to the help Progent provided us during the most stressful period of (our) businesses survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent team gave us. That you could get our messaging and production applications back on-line faster than a week was something I thought impossible. Each staff member I worked with or texted at Progent was laser focused on getting us restored and was working breakneck pace to bail us out."

Progent worked with the customer to rapidly assess and assign priority to the critical applications that needed to be recovered to make it possible to restart business operations:

  • Microsoft Active Directory
  • E-Mail
  • Financials/MRP
To begin, Progent adhered to Anti-virus incident mitigation best practices by halting lateral movement and performing virus removal steps. Progent then started the task of recovering Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the customerís MRP software utilized Microsoft SQL Server, which needs Active Directory for authentication to the databases.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then completed setup and storage recovery of needed applications. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find local OST files (Outlook Off-Line Folder Files) on team desktop computers and laptops to recover email messages. A not too old off-line backup of the client's accounting/MRP software made it possible to recover these vital programs back available to users. Although a lot of work still had to be done to recover completely from the Ryuk attack, core systems were restored rapidly:


"For the most part, the production manufacturing operation was never shut down and we made all customer shipments."

Throughout the next few weeks important milestones in the restoration project were completed in close collaboration between Progent consultants and the customer:

  • In-house web applications were restored without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the user desktops and notebooks were fully operational.

"So much of what happened that first week is mostly a blur for me, but I will not forget the countless hours each of you put in to help get our business back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has shined and delivered. This event was no exception but maybe more Herculean."

Conclusion
A possible business disaster was dodged through the efforts of dedicated experts, a wide array of technical expertise, and close teamwork. Although upon completion of forensics the ransomware penetration described here should have been shut down with up-to-date security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for letting me get some sleep after we got through the initial fire. Everyone did an fabulous effort, and if any of your team is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Oakland a range of online monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation machine learning capability to uncover new strains of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to address the complete malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid recovery of critical data, apps and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to deliver web-based management and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, reconfigure and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding devices that need important updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system operating at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.
For Oakland 24-7 Crypto Recovery Services, reach out to Progent at 800-993-9400 or go to Contact Progent.