Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for organizations vulnerable to an assault. Different iterations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause harm. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with more as yet unnamed malware, not only do encryption of online files but also infect most configured system protection. Information synchronized to cloud environments can also be ransomed. In a vulnerable system, it can make automatic restoration impossible and basically knocks the entire system back to square one.

Retrieving applications and information after a ransomware intrusion becomes a race against the clock as the victim tries its best to contain and eradicate the virus and to resume enterprise-critical operations. Since ransomware takes time to replicate, penetrations are often sprung during nights and weekends, when successful penetrations tend to take longer to uncover. This compounds the difficulty of quickly mobilizing and coordinating a capable response team.

Progent offers an assortment of help services for protecting enterprises from ransomware penetrations. Among these are staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with machine learning capabilities to intelligently identify and suppress zero-day cyber attacks. Progent also offers the assistance of expert ransomware recovery consultants with the skills and commitment to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware penetration, sending the ransom in cryptocurrency does not guarantee that merciless criminals will provide the needed keys to decrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the critical elements of your IT environment. Absent the availability of complete system backups, this calls for a broad complement of skill sets, professional project management, and the capability to work non-stop until the job is done.

For twenty years, Progent has made available expert Information Technology services for businesses in Lima and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the ability to efficiently determine important systems and organize the remaining pieces of your network environment after a ransomware attack and rebuild them into a functioning network.

Progent's ransomware team uses best of breed project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working rapidly and in concert with a customerís management and Information Technology staff to prioritize tasks and to put key applications back on-line as soon as possible.

Client Case Study: A Successful Crypto-Ransomware Virus Restoration
A small business engaged Progent after their company was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored hackers, possibly adopting techniques leaked from the United States National Security Agency. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most profitable incarnations of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had paralyzed all company operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but ultimately reached out to Progent.


"I cannot thank you enough in regards to the support Progent provided us during the most stressful time of (our) companyís survival. We may have had to pay the hackers behind this attack except for the confidence the Progent experts afforded us. The fact that you could get our messaging and critical servers back online sooner than 1 week was earth shattering. Each expert I talked with or texted at Progent was amazingly focused on getting our system up and was working at all hours to bail us out."

Progent worked with the client to rapidly get our arms around and prioritize the mission critical elements that needed to be recovered in order to resume business functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • Accounting/MRP
To start, Progent followed Anti-virus event response industry best practices by stopping the spread and performing virus removal steps. Progent then began the steps of bringing back online Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the businessesí financials and MRP software utilized Microsoft SQL, which depends on Active Directory for security authorization to the databases.

In less than two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed reinstallations and hard drive recovery of needed systems. All Exchange schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Offline Folder Files) on user desktop computers and laptops to recover mail data. A recent off-line backup of the businesses manufacturing systems made them able to recover these essential programs back available to users. Although major work still had to be done to recover completely from the Ryuk event, core systems were recovered quickly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer orders."

Throughout the following month critical milestones in the restoration project were accomplished through tight collaboration between Progent consultants and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the user desktops were being used by staff.

"Much of what went on in the initial days is mostly a haze for me, but my management will not forget the dedication each of your team put in to help get our company back. I have trusted Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This time was a stunning achievement."

Conclusion
A likely business extinction disaster was averted due to results-oriented experts, a wide array of subject matter expertise, and close collaboration. Although in post mortem the crypto-ransomware penetration described here could have been blocked with up-to-date security systems and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), Iím grateful for making it so I could get rested after we got through the most critical parts. Everyone did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Lima a range of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate modern AI technology to uncover new strains of crypto-ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-based AV products. ProSight ASM protects local and cloud resources and offers a unified platform to manage the entire malware attack progression including blocking, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent's consultants can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of critical files, applications and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can provide world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver web-based control and comprehensive security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email that stays within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that require important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the health of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT personnel and your assigned Progent consultant so that any potential issues can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Lima 24-7 Crypto Remediation Consultants, contact Progent at 800-993-9400 or go to Contact Progent.