Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict havoc. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as frequent as yet unnamed viruses, not only do encryption of online files but also infiltrate many accessible system backups. Files replicated to the cloud can also be encrypted. In a poorly designed system, it can make any recovery useless and basically sets the network back to zero.

Getting back on-line applications and data following a ransomware attack becomes a race against the clock as the victim tries its best to contain the damage and eradicate the ransomware and to resume mission-critical activity. Since ransomware requires time to spread, attacks are usually launched on weekends, when attacks are likely to take longer to uncover. This multiplies the difficulty of rapidly assembling and orchestrating a capable mitigation team.

Progent provides a range of services for protecting enterprises from ransomware events. These include user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security solutions with machine learning capabilities to intelligently discover and suppress new cyber threats. Progent in addition offers the services of expert ransomware recovery consultants with the talent and commitment to re-deploy a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will provide the needed codes to decrypt any or all of your data. Kaspersky estimated that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the essential parts of your Information Technology environment. Without the availability of complete data backups, this requires a wide complement of IT skills, top notch project management, and the capability to work non-stop until the task is over.

For decades, Progent has offered certified expert IT services for companies in Raleigh and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of experience gives Progent the ability to knowledgably ascertain necessary systems and integrate the remaining parts of your network environment following a ransomware penetration and configure them into a functioning network.

Progent's recovery group utilizes top notch project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and together with a customerís management and Information Technology staff to prioritize tasks and to put critical systems back on-line as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Response
A small business escalated to Progent after their network was attacked by the Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored cybercriminals, possibly adopting techniques leaked from Americaís NSA organization. Ryuk attacks specific businesses with limited ability to sustain disruption and is among the most profitable instances of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (more than $200,000) and praying for good luck, but in the end reached out to Progent.


"I cannot tell you enough about the help Progent gave us throughout the most fearful time of (our) companyís existence. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent team gave us. That you could get our messaging and key servers back on-line faster than five days was earth shattering. Each staff member I got help from or texted at Progent was absolutely committed on getting us working again and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly assess and assign priority to the key services that needed to be addressed in order to continue company functions:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To begin, Progent followed ransomware penetration response best practices by isolating and disinfecting systems. Progent then began the steps of restoring Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Windows AD, and the businessesí MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the database.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then charged ahead with reinstallations and hard drive recovery of mission critical systems. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Off-Line Folder Files) on various workstations to recover email information. A not too old offline backup of the customerís financials/ERP systems made it possible to recover these required applications back on-line. Although a large amount of work still had to be done to recover totally from the Ryuk event, essential systems were restored rapidly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer sales."

Over the following few weeks critical milestones in the recovery process were achieved through tight cooperation between Progent engineers and the customer:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server containing more than 4 million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully functional.
  • A new Palo Alto 850 firewall was deployed.
  • Most of the desktop computers were being used by staff.

"So much of what transpired that first week is mostly a haze for me, but my management will not soon forget the urgency all of the team put in to give us our business back. Iíve utilized Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This time was a life saver."

Conclusion
A probable business-ending catastrophe was avoided through the efforts of results-oriented professionals, a wide spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here would have been stopped with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for letting me get some sleep after we got through the initial fire. All of you did an impressive effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Raleigh a portfolio of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence technology to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your company's specific needs and that allows you prove compliance with legal and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates your backup processes and enables fast recovery of critical data, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR consultants can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, when necessary, can assist you to recover your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to provide web-based control and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of analysis for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, captures and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, locating devices that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that all potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7 Raleigh Ransomware Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.