Crypto-Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an existential threat for organizations poorly prepared for an assault. Different versions of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still cause damage. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with frequent unnamed malware, not only encrypt online files but also infiltrate many configured system backup. Information replicated to the cloud can also be ransomed. In a vulnerable data protection solution, it can make automatic recovery impossible and basically knocks the network back to square one.

Retrieving programs and data after a crypto-ransomware intrusion becomes a sprint against time as the targeted business tries its best to contain the damage and cleanup the crypto-ransomware and to resume business-critical operations. Since ransomware requires time to spread, penetrations are usually launched on weekends, when successful attacks in many cases take longer to uncover. This compounds the difficulty of quickly marshalling and organizing an experienced mitigation team.

Progent makes available a variety of support services for securing organizations from crypto-ransomware events. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with artificial intelligence technology to quickly identify and suppress day-zero threats. Progent also offers the services of experienced crypto-ransomware recovery engineers with the talent and commitment to rebuild a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not ensure that merciless criminals will respond with the needed codes to unencrypt any or all of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the key parts of your IT environment. Absent access to essential data backups, this requires a broad range of IT skills, top notch team management, and the ability to work 24x7 until the recovery project is done.

For twenty years, Progent has offered expert IT services for businesses in Richmond and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of expertise affords Progent the ability to efficiently identify critical systems and re-organize the surviving components of your IT system following a ransomware attack and configure them into an operational system.

Progent's recovery team of experts utilizes best of breed project management systems to coordinate the complicated recovery process. Progent understands the urgency of acting rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to get the most important systems back online as fast as humanly possible.

Customer Case Study: A Successful Ransomware Incident Recovery
A customer hired Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean government sponsored hackers, possibly using strategies exposed from Americaís National Security Agency. Ryuk attacks specific organizations with limited ability to sustain disruption and is one of the most lucrative examples of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago with about 500 workers. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but in the end called Progent.


"I cannot say enough in regards to the support Progent provided us during the most critical time of (our) companyís existence. We most likely would have paid the criminal gangs except for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and essential applications back on-line in less than 1 week was incredible. Each expert I interacted with or communicated with at Progent was urgently focused on getting us back on-line and was working 24/7 on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the most important elements that needed to be addressed to make it possible to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent followed AV/Malware Processes incident response best practices by stopping the spread and cleaning up infected systems. Progent then initiated the process of restoring Microsoft AD, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the client's MRP applications used SQL Server, which requires Active Directory for authentication to the data.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery on mission critical systems. All Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Offline Data Files) on team workstations to recover email messages. A not too old offline backup of the customerís accounting/MRP software made it possible to restore these vital services back online for users. Although significant work was left to recover fully from the Ryuk attack, core systems were recovered quickly:


"For the most part, the production line operation survived unscathed and we delivered all customer sales."

Throughout the next few weeks critical milestones in the recovery process were completed through tight cooperation between Progent team members and the customer:

  • Internal web sites were restored with no loss of information.
  • The MailStore Exchange Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the desktops and laptops were fully operational.

"So much of what occurred during the initial response is mostly a fog for me, but my team will not forget the countless hours each and every one of your team put in to help get our business back. Iíve been working together with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable business-ending disaster was avoided with results-oriented professionals, a wide range of knowledge, and close teamwork. Although in retrospect the crypto-ransomware virus incident detailed here would have been prevented with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for allowing me to get some sleep after we made it through the initial fire. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Richmond a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include modern AI capability to detect new variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to automate the complete malware attack progression including protection, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your company's unique requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of critical files, apps and virtual machines that have become lost or damaged as a result of hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can deliver world-class expertise to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide centralized control and world-class security for all your email traffic. The powerful structure of Email Guard combines cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, track, reconfigure and troubleshoot their networking appliances like routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of almost all devices on your network, monitors performance, and generates notices when problems are discovered. By automating tedious management processes, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that need important software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to keep your IT system running efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Learn more about ProSight IT Asset Management service.
For Richmond 24x7 Crypto Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.