Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that poses an existential threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and still cause damage. Modern variants of ransomware such as Ryuk and Hermes, along with frequent unnamed newcomers, not only encrypt on-line critical data but also infect any configured system backup. Data synchronized to the cloud can also be encrypted. In a vulnerable environment, this can make any restore operations useless and basically sets the entire system back to zero.

Getting back online applications and data after a crypto-ransomware intrusion becomes a sprint against time as the targeted organization struggles to stop lateral movement and eradicate the crypto-ransomware and to restore business-critical activity. Because ransomware requires time to spread, attacks are frequently sprung during nights and weekends, when penetrations are likely to take more time to recognize. This compounds the difficulty of quickly mobilizing and orchestrating a qualified response team.

Progent offers a variety of solutions for protecting enterprises from ransomware penetrations. These include team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with artificial intelligence technology to automatically discover and extinguish new threats. Progent in addition provides the services of seasoned ransomware recovery consultants with the track record and perseverance to restore a breached environment as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the needed codes to decrypt any or all of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the mission-critical elements of your IT environment. Absent access to essential information backups, this requires a wide complement of IT skills, professional team management, and the capability to work continuously until the task is finished.

For twenty years, Progent has offered professional Information Technology services for businesses in Colorado Springs and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise provides Progent the ability to quickly ascertain necessary systems and integrate the remaining pieces of your IT environment after a ransomware attack and configure them into an operational system.

Progent's recovery group has powerful project management tools to coordinate the sophisticated restoration process. Progent understands the importance of acting quickly and in concert with a customerís management and IT resources to assign priority to tasks and to put key systems back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A business contacted Progent after their network system was attacked by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored cybercriminals, suspected of adopting strategies exposed from the United States National Security Agency. Ryuk targets specific organizations with limited tolerance for operational disruption and is among the most lucrative versions of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for the best, but ultimately made the decision to use Progent.


"I cannot speak enough in regards to the support Progent gave us throughout the most stressful period of (our) companyís life. We may have had to pay the Hackers if not for the confidence the Progent group gave us. The fact that you could get our e-mail and production servers back on-line sooner than one week was something I thought impossible. Each person I talked with or texted at Progent was laser focused on getting us restored and was working 24 by 7 on our behalf."

Progent worked together with the client to quickly identify and prioritize the mission critical services that needed to be addressed in order to continue business operations:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by isolating and cleaning up infected systems. Progent then began the work of restoring Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the businessesí MRP software leveraged Microsoft SQL, which needs Active Directory services for authentication to the data.

Within 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then initiated reinstallations and storage recovery on key servers. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Offline Data Files) on user PCs to recover email messages. A not too old offline backup of the customerís accounting/ERP systems made it possible to restore these vital services back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, core systems were recovered rapidly:


"For the most part, the manufacturing operation was never shut down and we delivered all customer deliverables."

Over the following couple of weeks critical milestones in the restoration process were accomplished through tight collaboration between Progent team members and the client:

  • Internal web applications were restored without losing any information.
  • The MailStore Server containing more than 4 million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory modules were fully restored.
  • A new Palo Alto 850 security appliance was deployed.
  • Most of the user workstations were operational.

"A lot of what transpired in the early hours is mostly a blur for me, but I will not soon forget the urgency each and every one of your team accomplished to give us our business back. I have trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was the most impressive ever."

Conclusion
A probable business-ending disaster was evaded due to dedicated professionals, a wide array of knowledge, and tight teamwork. Although in hindsight the ransomware virus penetration described here should have been identified and disabled with up-to-date cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get some sleep after we made it past the initial fire. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Colorado Springs a variety of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services include next-generation AI capability to detect new variants of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including blocking, identification, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also assist your company to set up and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates your backup activities and enables fast recovery of critical data, applications and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced support to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver web-based control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your exposure to external threats and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of analysis for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their connectivity hardware such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating complex management processes, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT staff and your Progent consultant so all looming problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can eliminate up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Colorado Springs Crypto Repair Experts, call Progent at 800-993-9400 or go to Contact Progent.