Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and still inflict havoc. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus more as yet unnamed newcomers, not only encrypt online files but also infect any accessible system backup. Data replicated to the cloud can also be encrypted. In a poorly designed data protection solution, this can render automatic restoration impossible and effectively knocks the network back to zero.

Getting back applications and information after a ransomware event becomes a sprint against time as the targeted business fights to stop lateral movement and remove the ransomware and to resume mission-critical operations. Because ransomware requires time to move laterally, attacks are usually launched on weekends and holidays, when penetrations may take longer to discover. This compounds the difficulty of rapidly marshalling and coordinating a qualified mitigation team.

Progent offers a range of services for securing businesses from crypto-ransomware events. Among these are team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with machine learning capabilities to intelligently detect and extinguish day-zero cyber threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the track record and commitment to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the needed codes to decipher all your files. Kaspersky estimated that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the mission-critical components of your IT environment. Absent access to full system backups, this calls for a broad range of skill sets, top notch project management, and the capability to work non-stop until the recovery project is finished.

For two decades, Progent has provided certified expert Information Technology services for companies in Jersey City and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise provides Progent the ability to quickly understand necessary systems and consolidate the remaining pieces of your network environment after a ransomware penetration and assemble them into an operational network.

Progent's security group uses top notch project management applications to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to put the most important systems back online as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Virus Response
A business engaged Progent after their company was brought down by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean government sponsored cybercriminals, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk goes after specific companies with little ability to sustain operational disruption and is one of the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has around 500 employees. The Ryuk attack had frozen all company operations and manufacturing processes. The majority of the client's backups had been on-line at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but in the end brought in Progent.


"I canít thank you enough in regards to the help Progent provided us throughout the most critical time of (our) companyís survival. We would have paid the hackers behind this attack except for the confidence the Progent team provided us. That you were able to get our e-mail system and critical servers back on-line quicker than five days was amazing. Each consultant I worked with or messaged at Progent was laser focused on getting our company operational and was working all day and night to bail us out."

Progent worked together with the customer to rapidly determine and assign priority to the essential systems that had to be recovered to make it possible to continue business functions:

  • Active Directory
  • Email
  • MRP System
To start, Progent adhered to AV/Malware Processes incident response best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of bringing back online Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange email will not function without AD, and the businessesí financials and MRP system utilized Microsoft SQL Server, which needs Active Directory services for access to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and hard drive recovery of key applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Offline Data Files) on user desktop computers and laptops to recover mail messages. A not too old off-line backup of the client's accounting systems made it possible to restore these required applications back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, core systems were returned to operations quickly:


"For the most part, the production operation did not miss a beat and we produced all customer shipments."

During the following month key milestones in the recovery process were made through close cooperation between Progent team members and the client:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Server with over four million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were completely restored.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the desktop computers were fully operational.

"Much of what was accomplished in the initial days is mostly a blur for me, but my management will not soon forget the commitment each and every one of your team accomplished to give us our company back. Iíve been working with Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This event was no exception but maybe more Herculean."

Conclusion
A probable enterprise-killing disaster was averted with dedicated experts, a wide range of subject matter expertise, and close collaboration. Although in retrospect the ransomware attack detailed here could have been stopped with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate security procedures for data backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we got past the initial push. Everyone did an incredible effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Jersey City a range of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services include modern AI technology to uncover new strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to address the complete threat lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent can also help you to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of vital files, apps and virtual machines that have become lost or damaged due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide world-class support to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can assist you to restore your business-critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to deliver web-based control and comprehensive protection for your email traffic. The powerful structure of Email Guard integrates a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, optimize and debug their connectivity hardware such as routers, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious management processes, WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding appliances that need important updates, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management staff and your Progent engineering consultant so all looming issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Jersey City Crypto Remediation Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.