Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that represents an existential danger for businesses vulnerable to an attack. Different versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with more as yet unnamed viruses, not only do encryption of online files but also infiltrate any configured system backups. Information synchronized to the cloud can also be corrupted. In a vulnerable data protection solution, it can make automatic restore operations impossible and effectively knocks the entire system back to square one.

Getting back on-line programs and data following a ransomware intrusion becomes a sprint against time as the victim struggles to contain the damage and cleanup the ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to replicate, penetrations are frequently launched on weekends and holidays, when successful penetrations may take more time to discover. This compounds the difficulty of rapidly assembling and orchestrating a capable mitigation team.

Progent makes available an assortment of solutions for securing enterprises from ransomware attacks. These include user education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with AI capabilities to rapidly identify and quarantine new threats. Progent also can provide the services of expert ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decipher any or all of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the essential parts of your IT environment. Absent the availability of complete system backups, this requires a wide range of skill sets, top notch team management, and the capability to work non-stop until the job is complete.

For twenty years, Progent has offered professional Information Technology services for businesses in Richmond and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience affords Progent the capability to quickly understand necessary systems and integrate the surviving parts of your computer network environment after a crypto-ransomware attack and configure them into an operational network.

Progent's ransomware team of experts uses best of breed project management applications to orchestrate the complicated recovery process. Progent understands the urgency of acting rapidly and in unison with a customerís management and IT team members to prioritize tasks and to put the most important applications back online as fast as possible.

Business Case Study: A Successful Ransomware Intrusion Restoration
A small business escalated to Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean government sponsored hackers, possibly adopting algorithms exposed from the U.S. NSA organization. Ryuk seeks specific businesses with limited room for disruption and is one of the most lucrative versions of ransomware malware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago with around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately engaged Progent.


"I cannot tell you enough about the care Progent provided us during the most critical period of (our) businesses existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent experts gave us. The fact that you could get our e-mail system and key servers back online quicker than a week was earth shattering. Each consultant I talked with or communicated with at Progent was totally committed on getting our system up and was working breakneck pace on our behalf."

Progent worked with the customer to quickly determine and assign priority to the critical applications that had to be restored in order to restart departmental operations:

  • Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes event mitigation best practices by halting the spread and performing virus removal steps. Progent then initiated the steps of rebuilding Microsoft Active Directory, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí accounting and MRP software used Microsoft SQL, which requires Windows AD for access to the database.

In less than 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then completed rebuilding and storage recovery on critical servers. All Microsoft Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Folder Files) on team desktop computers in order to recover mail messages. A not too old offline backup of the businesses accounting software made it possible to restore these essential services back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk virus, critical systems were restored quickly:


"For the most part, the production line operation did not miss a beat and we produced all customer sales."

Over the next couple of weeks important milestones in the restoration project were achieved through tight collaboration between Progent engineers and the client:

  • In-house web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely restored.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the user workstations were fully operational.

"Much of what was accomplished during the initial response is mostly a fog for me, but we will not soon forget the commitment each of you accomplished to give us our business back. Iíve utilized Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A probable business catastrophe was evaded with dedicated experts, a wide range of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus attack detailed here could have been identified and blocked with advanced cyber security systems and best practices, staff education, and appropriate security procedures for data protection and applying software patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), Iím grateful for making it so I could get rested after we made it past the initial push. All of you did an incredible effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Richmond a range of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence capability to uncover new variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. ProSight ASM protects local and cloud resources and provides a single platform to address the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via leading-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates and monitors your backup processes and allows rapid recovery of critical files, apps and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to provide web-based control and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of inspection for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, track, enhance and debug their networking hardware such as routers, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration information of almost all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex management activities, WAN Watch can cut hours off common chores such as network mapping, expanding your network, locating appliances that need critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT staff and your assigned Progent engineering consultant so any potential problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can save up to half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about ProSight IT Asset Management service.
For 24/7/365 Richmond Ransomware Remediation Help, reach out to Progent at 800-993-9400 or go to Contact Progent.