Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that poses an extinction-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for years and continue to inflict havoc. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more as yet unnamed malware, not only encrypt online critical data but also infect all available system backups. Information synched to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can render automated recovery hopeless and basically knocks the network back to square one.

Getting back online programs and data after a crypto-ransomware outage becomes a sprint against the clock as the victim tries its best to contain and clear the virus and to restore business-critical activity. Since crypto-ransomware needs time to replicate, attacks are usually sprung at night, when attacks typically take more time to detect. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.

Progent makes available a variety of support services for securing businesses from crypto-ransomware events. These include team member education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security appliances with artificial intelligence capabilities to automatically identify and quarantine zero-day threats. Progent in addition offers the assistance of experienced ransomware recovery engineers with the talent and perseverance to reconstruct a breached network as quickly as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the keys to unencrypt any or all of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to setup from scratch the mission-critical components of your IT environment. Absent access to full information backups, this calls for a wide range of IT skills, professional team management, and the ability to work non-stop until the job is completed.

For twenty years, Progent has provided certified expert IT services for businesses in Lima and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently ascertain critical systems and consolidate the surviving parts of your computer network environment following a ransomware event and configure them into an operational network.

Progent's ransomware team uses state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent knows the urgency of acting swiftly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put the most important systems back on-line as fast as possible.

Case Study: A Successful Crypto-Ransomware Attack Response
A client contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored cybercriminals, suspected of using approaches exposed from Americaís NSA organization. Ryuk attacks specific companies with little ability to sustain disruption and is one of the most profitable versions of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago with around 500 employees. The Ryuk penetration had frozen all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately engaged Progent.


"I cannot thank you enough in regards to the expertise Progent provided us throughout the most stressful period of (our) companyís survival. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. The fact that you could get our messaging and production applications back faster than 1 week was beyond my wildest dreams. Each staff member I worked with or messaged at Progent was amazingly focused on getting us restored and was working all day and night on our behalf."

Progent worked together with the customer to quickly identify and assign priority to the critical elements that needed to be recovered to make it possible to resume company operations:

  • Active Directory (AD)
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the task of bringing back online Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customerís MRP system used Microsoft SQL, which requires Active Directory services for security authorization to the data.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery of the most important applications. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Off-Line Folder Files) on staff PCs and laptops in order to recover email information. A recent off-line backup of the client's manufacturing software made it possible to restore these required services back servicing users. Although a large amount of work remained to recover fully from the Ryuk virus, essential systems were restored rapidly:


"For the most part, the production manufacturing operation survived unscathed and we delivered all customer shipments."

Throughout the next few weeks important milestones in the recovery project were completed through tight collaboration between Progent consultants and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • 90% of the user desktops and notebooks were being used by staff.

"A lot of what occurred in the initial days is mostly a blur for me, but I will not soon forget the commitment all of you put in to give us our business back. Iíve been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a life saver."

Conclusion
A possible business extinction catastrophe was evaded by results-oriented professionals, a wide array of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus incident described here should have been identified and disabled with modern cyber security technology solutions and ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of professionals has proven experience in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we got over the most critical parts. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Lima a range of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services include next-generation artificial intelligence technology to uncover zero-day strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also help you to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital data, apps and virtual machines that have become lost or corrupted due to component breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can deliver world-class support to set up ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your business-critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security vendors to deliver centralized management and world-class security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and debug their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network maps are always updated, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are detected. By automating complex management activities, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding devices that need critical software patches, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT management personnel and your assigned Progent consultant so any looming problems can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24x7 Lima Crypto Remediation Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.