Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses vulnerable to an assault. Versions of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more as yet unnamed viruses, not only do encryption of on-line data but also infiltrate all available system backup. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed system, it can render any recovery impossible and effectively knocks the entire system back to zero.

Restoring services and information after a crypto-ransomware attack becomes a sprint against time as the targeted business fights to contain and clear the ransomware and to resume business-critical operations. Since crypto-ransomware needs time to replicate, penetrations are frequently launched during nights and weekends, when successful attacks are likely to take longer to notice. This multiplies the difficulty of promptly marshalling and organizing a knowledgeable mitigation team.

Progent makes available a variety of services for securing enterprises from crypto-ransomware attacks. Among these are user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with AI technology to quickly discover and quarantine day-zero threats. Progent in addition provides the services of experienced crypto-ransomware recovery consultants with the skills and commitment to reconstruct a breached environment as rapidly as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed keys to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the vital components of your IT environment. Without the availability of essential system backups, this calls for a broad complement of skill sets, professional team management, and the willingness to work continuously until the recovery project is completed.

For twenty years, Progent has made available expert IT services for businesses in Buffalo and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the skills to efficiently identify critical systems and re-organize the remaining components of your computer network system after a crypto-ransomware attack and configure them into an operational system.

Progent's security group uses state-of-the-art project management systems to coordinate the complicated recovery process. Progent appreciates the urgency of working quickly and together with a customerís management and IT team members to assign priority to tasks and to get critical applications back online as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A business escalated to Progent after their company was attacked by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, suspected of using technology leaked from the United States NSA organization. Ryuk goes after specific organizations with limited room for operational disruption and is one of the most lucrative iterations of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with about 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end engaged Progent.


"I cannot speak enough about the care Progent gave us during the most critical time of (our) companyís life. We would have paid the Hackers except for the confidence the Progent team gave us. That you could get our messaging and essential servers back quicker than one week was earth shattering. Every single consultant I spoke to or communicated with at Progent was totally committed on getting us back online and was working all day and night to bail us out."

Progent worked with the customer to quickly understand and prioritize the critical services that needed to be restored in order to continue business functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent followed ransomware incident response best practices by isolating and performing virus removal steps. Progent then started the work of restoring Microsoft AD, the key technology of enterprise networks built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which needs Windows AD for authentication to the databases.

In less than 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of essential servers. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Offline Folder Files) on team PCs and laptops in order to recover email data. A recent off-line backup of the businesses accounting software made them able to restore these vital services back servicing users. Although a lot of work remained to recover completely from the Ryuk virus, essential systems were recovered quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer sales."

Throughout the next couple of weeks important milestones in the restoration project were completed through tight cooperation between Progent consultants and the client:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were completely recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the user desktops were fully operational.

"A huge amount of what transpired in the early hours is nearly entirely a fog for me, but my team will not soon forget the commitment all of the team put in to help get our business back. I have been working with Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This event was a life saver."

Conclusion
A probable business extinction catastrophe was averted due to hard-working professionals, a wide array of knowledge, and tight collaboration. Although in retrospect the crypto-ransomware penetration detailed here could have been identified and stopped with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and appropriate security procedures for backup and applying software patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get some sleep after we got through the initial fire. Everyone did an amazing effort, and if anyone is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Buffalo a variety of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services utilize modern machine learning technology to detect new variants of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based AV products. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to manage the complete malware attack progression including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that meets your company's unique requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates and monitors your backup activities and allows rapid recovery of critical data, apps and virtual machines that have become lost or damaged due to component failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver advanced expertise to set up ProSight DPS to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide web-based management and world-class security for your inbound and outbound email. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when problems are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that require critical updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your network operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT personnel and your assigned Progent engineering consultant so that any looming issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can save up to half of time spent looking for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Read more about ProSight IT Asset Management service.
For Buffalo 24/7 Crypto Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.