Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses vulnerable to an assault. Versions of ransomware such as Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with frequent as yet unnamed newcomers, not only encrypt online data but also infect all available system backup. Data replicated to cloud environments can also be encrypted. In a vulnerable system, it can render automated restore operations impossible and basically knocks the entire system back to zero.

Getting back applications and information after a ransomware intrusion becomes a sprint against time as the victim fights to stop lateral movement and remove the ransomware and to restore enterprise-critical activity. Because crypto-ransomware needs time to move laterally, attacks are usually launched at night, when successful attacks may take longer to uncover. This compounds the difficulty of rapidly assembling and organizing a qualified mitigation team.

Progent has an assortment of solutions for securing businesses from crypto-ransomware events. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning technology to rapidly detect and quarantine day-zero cyber attacks. Progent in addition offers the services of experienced crypto-ransomware recovery engineers with the skills and perseverance to restore a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Following a crypto-ransomware event, sending the ransom in cryptocurrency does not ensure that cyber hackers will respond with the needed codes to decrypt any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the essential parts of your Information Technology environment. Without access to full information backups, this calls for a wide range of skill sets, professional team management, and the capability to work continuously until the job is finished.

For two decades, Progent has made available professional Information Technology services for companies in Colorado Springs and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience provides Progent the skills to efficiently ascertain important systems and re-organize the surviving parts of your network system following a ransomware penetration and assemble them into a functioning network.

Progent's security team of experts uses powerful project management tools to orchestrate the complex restoration process. Progent understands the importance of acting rapidly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to put key systems back online as soon as possible.

Customer Story: A Successful Crypto-Ransomware Penetration Response
A small business hired Progent after their network was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, possibly adopting strategies leaked from Americaís NSA organization. Ryuk seeks specific organizations with limited room for operational disruption and is among the most lucrative examples of ransomware malware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area with about 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (more than $200K) and praying for good luck, but ultimately engaged Progent.


"I canít speak enough about the expertise Progent provided us during the most critical time of (our) businesses life. We would have paid the cybercriminals except for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and critical servers back online sooner than one week was amazing. Every single consultant I worked with or texted at Progent was absolutely committed on getting us operational and was working at all hours to bail us out."

Progent worked with the customer to quickly identify and assign priority to the critical areas that needed to be recovered in order to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent followed ransomware penetration response industry best practices by halting lateral movement and performing virus removal steps. Progent then began the task of rebuilding Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without AD, and the client's MRP applications utilized Microsoft SQL, which depends on Active Directory for access to the database.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on key servers. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Outlook Off-Line Data Files) on user desktop computers and laptops in order to recover email data. A recent offline backup of the businesses accounting/ERP systems made them able to restore these vital services back online for users. Although a large amount of work remained to recover fully from the Ryuk event, core systems were recovered quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer sales."

Throughout the next month key milestones in the restoration project were made in tight collaboration between Progent consultants and the customer:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Server with over 4 million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100% functional.
  • A new Palo Alto Networks 850 firewall was set up.
  • Nearly all of the user desktops and notebooks were functioning as before the incident.

"Much of what was accomplished during the initial response is nearly entirely a fog for me, but our team will not forget the care each of you accomplished to give us our business back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential business extinction disaster was avoided through the efforts of dedicated experts, a wide range of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware attack detailed here should have been disabled with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for information protection and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), thanks very much for making it so I could get some sleep after we made it over the initial fire. Everyone did an impressive job, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Colorado Springs a variety of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include modern AI capability to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to automate the complete malware attack lifecycle including protection, identification, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate action. Progent's consultants can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of critical files, applications and VMs that have become unavailable or damaged due to hardware failures, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's BDR specialists can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver centralized control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding appliances that need important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that any potential issues can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can save as much as half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Learn more about ProSight IT Asset Management service.
For Colorado Springs 24/7 Crypto Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.