Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that represents an enterprise-level danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for a long time and continue to inflict harm. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, plus more unnamed viruses, not only do encryption of online critical data but also infect most configured system restores and backups. Information synched to cloud environments can also be encrypted. In a vulnerable system, this can make any recovery useless and basically knocks the network back to zero.

Getting back on-line services and data following a ransomware intrusion becomes a race against time as the targeted organization struggles to contain and cleanup the ransomware and to restore enterprise-critical activity. Because ransomware takes time to spread, attacks are often sprung on weekends, when successful penetrations tend to take longer to discover. This compounds the difficulty of quickly mobilizing and coordinating a qualified mitigation team.

Progent provides an assortment of help services for protecting businesses from crypto-ransomware penetrations. These include staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with AI technology to quickly detect and suppress zero-day cyber attacks. Progent also provides the services of experienced ransomware recovery engineers with the talent and commitment to reconstruct a compromised network as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will return the needed keys to unencrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the mission-critical elements of your Information Technology environment. Without the availability of full information backups, this requires a wide range of skill sets, top notch project management, and the willingness to work continuously until the job is done.

For twenty years, Progent has made available expert Information Technology services for businesses in Seattle and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the ability to quickly ascertain critical systems and re-organize the surviving components of your computer network environment following a ransomware event and rebuild them into an operational network.

Progent's recovery team has powerful project management systems to coordinate the complex restoration process. Progent knows the urgency of acting swiftly and in unison with a client's management and Information Technology staff to prioritize tasks and to get critical systems back on line as soon as possible.

Case Study: A Successful Ransomware Penetration Recovery
A small business engaged Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean government sponsored cybercriminals, suspected of adopting strategies exposed from Americaís NSA organization. Ryuk seeks specific businesses with limited tolerance for operational disruption and is among the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing processes. The majority of the client's backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.


"I canít say enough about the help Progent gave us throughout the most stressful time of (our) businesses survival. We most likely would have paid the cyber criminals if not for the confidence the Progent experts gave us. That you could get our e-mail system and production applications back online quicker than five days was incredible. Every single expert I worked with or messaged at Progent was totally committed on getting us back online and was working day and night on our behalf."

Progent worked with the client to rapidly determine and assign priority to the mission critical areas that had to be addressed to make it possible to restart company operations:

  • Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To begin, Progent followed ransomware event response industry best practices by isolating and clearing infected systems. Progent then initiated the process of restoring Microsoft AD, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the customerís accounting and MRP applications leveraged SQL Server, which depends on Active Directory services for authentication to the data.

In less than 2 days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then charged ahead with setup and hard drive recovery of needed systems. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Data Files) on team desktop computers in order to recover mail data. A not too old off-line backup of the businesses financials/ERP systems made it possible to recover these essential services back online. Although a lot of work was left to recover fully from the Ryuk damage, core systems were returned to operations quickly:


"For the most part, the assembly line operation showed little impact and we made all customer orders."

Throughout the following couple of weeks important milestones in the recovery project were made in close collaboration between Progent team members and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Ninety percent of the user desktops and notebooks were back into operation.

"A lot of what transpired in the early hours is nearly entirely a haze for me, but my management will not soon forget the commitment all of you accomplished to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has shined and delivered as promised. This situation was a life saver."

Conclusion
A probable business-killing catastrophe was evaded with top-tier experts, a broad array of subject matter expertise, and tight collaboration. Although in hindsight the ransomware incident described here would have been identified and disabled with modern cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well thought out security procedures for information protection and proper patching controls, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thanks very much for allowing me to get some sleep after we made it past the initial fire. Everyone did an incredible job, and if any of your team is in the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Seattle a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect new strains of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to address the complete malware attack progression including blocking, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you prove compliance with government and industry data security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates your backup activities and allows rapid recovery of critical files, apps and VMs that have become unavailable or damaged as a result of hardware breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can provide advanced support to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your business-critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver centralized control and world-class security for your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, track, optimize and debug their networking hardware like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating tedious network management processes, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that require important software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT personnel and your assigned Progent consultant so any potential problems can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For Seattle 24-Hour Crypto-Ransomware Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.