Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an existential threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with more as yet unnamed viruses, not only do encryption of online critical data but also infiltrate many available system backup. Files synched to the cloud can also be ransomed. In a vulnerable system, it can make automated restoration hopeless and basically knocks the datacenter back to zero.

Getting back programs and information after a ransomware event becomes a sprint against time as the targeted business tries its best to stop lateral movement and eradicate the virus and to restore enterprise-critical operations. Because crypto-ransomware requires time to replicate, assaults are frequently launched during weekends and nights, when penetrations may take longer to discover. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced response team.

Progent has an assortment of support services for securing businesses from ransomware attacks. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning technology to quickly identify and disable zero-day threats. Progent in addition provides the assistance of expert ransomware recovery professionals with the track record and perseverance to reconstruct a breached system as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the needed keys to unencrypt all your data. Kaspersky determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the critical parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide range of skill sets, top notch team management, and the willingness to work non-stop until the task is over.

For two decades, Progent has provided expert Information Technology services for companies in Richmond and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise affords Progent the skills to knowledgably determine necessary systems and organize the surviving pieces of your network system after a ransomware event and rebuild them into a functioning network.

Progent's recovery group has top notch project management applications to orchestrate the complex recovery process. Progent knows the urgency of working quickly and in concert with a customerís management and IT resources to prioritize tasks and to put essential services back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A client contacted Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state cybercriminals, suspected of using approaches exposed from the United States NSA organization. Ryuk seeks specific businesses with little ability to sustain disruption and is one of the most profitable examples of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk attack had frozen all business operations and manufacturing processes. Most of the client's information backups had been online at the start of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot say enough in regards to the support Progent provided us throughout the most fearful time of (our) companyís life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group afforded us. That you could get our e-mail and important servers back online sooner than five days was earth shattering. Each expert I got help from or messaged at Progent was urgently focused on getting our company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the essential elements that needed to be recovered to make it possible to resume business operations:

  • Active Directory
  • E-Mail
  • MRP System
To begin, Progent adhered to ransomware incident response industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the steps of recovering Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not function without AD, and the client's MRP system leveraged SQL Server, which needs Active Directory for security authorization to the database.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery on critical systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Offline Data Files) on staff desktop computers and laptops in order to recover mail data. A recent off-line backup of the customerís accounting software made it possible to restore these essential applications back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, core services were restored rapidly:


"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer shipments."

Over the following few weeks critical milestones in the restoration project were achieved through close collaboration between Progent consultants and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Server containing more than four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% restored.
  • A new Palo Alto Networks 850 firewall was set up.
  • Ninety percent of the user workstations were fully operational.

"A huge amount of what happened in the initial days is mostly a fog for me, but we will not forget the commitment each of your team put in to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This event was a testament to your capabilities."

Conclusion
A likely business-killing disaster was avoided by top-tier experts, a broad array of subject matter expertise, and tight teamwork. Although in hindsight the ransomware attack described here could have been identified and blocked with current cyber security systems and security best practices, user education, and properly executed security procedures for information protection and proper patching controls, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thanks very much for making it so I could get rested after we got over the initial fire. Everyone did an amazing job, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Richmond a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services incorporate modern machine learning capability to uncover new strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to manage the entire threat progression including blocking, identification, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with legal and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and allows fast recovery of vital data, apps and virtual machines that have become unavailable or damaged as a result of hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to provide centralized control and comprehensive protection for your inbound and outbound email. The hybrid structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further level of analysis for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, optimize and troubleshoot their connectivity hardware like switches, firewalls, and access points plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating appliances that need critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT personnel and your assigned Progent engineering consultant so any potential problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre making improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Richmond 24-7 Crypto-Ransomware Repair Consultants, contact Progent at 800-462-8800 or go to Contact Progent.