Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that presents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as frequent as yet unnamed newcomers, not only do encryption of on-line data files but also infiltrate many accessible system backups. Information synched to cloud environments can also be rendered useless. In a poorly designed environment, it can make any recovery hopeless and basically knocks the network back to square one.

Restoring services and data following a ransomware attack becomes a sprint against the clock as the victim struggles to stop lateral movement and eradicate the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to replicate, penetrations are often launched at night, when penetrations are likely to take more time to notice. This compounds the difficulty of quickly mobilizing and orchestrating a capable mitigation team.

Progent offers a range of support services for securing organizations from ransomware events. These include team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with artificial intelligence technology to automatically detect and suppress day-zero threats. Progent in addition offers the services of veteran crypto-ransomware recovery engineers with the talent and commitment to restore a compromised network as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the codes to decrypt any of your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the key components of your IT environment. Without the availability of essential information backups, this requires a broad complement of IT skills, well-coordinated project management, and the willingness to work continuously until the job is done.

For two decades, Progent has made available expert IT services for businesses in St. Louis and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience gives Progent the capability to rapidly ascertain important systems and re-organize the remaining pieces of your network system after a ransomware attack and assemble them into an operational network.

Progent's recovery team of experts has state-of-the-art project management systems to coordinate the complicated recovery process. Progent understands the urgency of acting quickly and together with a client's management and Information Technology team members to prioritize tasks and to get critical applications back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Response
A customer escalated to Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state criminal gangs, suspected of adopting strategies leaked from the United States NSA organization. Ryuk targets specific companies with little room for disruption and is among the most lucrative instances of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with about 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately engaged Progent.


"I canít thank you enough about the help Progent provided us during the most fearful time of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent team gave us. That you were able to get our messaging and production servers back into operation quicker than one week was beyond my wildest dreams. Each person I spoke to or texted at Progent was urgently focused on getting us back online and was working all day and night to bail us out."

Progent worked together with the client to quickly identify and assign priority to the critical systems that needed to be addressed to make it possible to resume company operations:

  • Windows Active Directory
  • E-Mail
  • MRP System
To begin, Progent adhered to Anti-virus penetration response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the steps of bringing back online Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the client's MRP applications used SQL Server, which depends on Windows AD for security authorization to the database.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery of essential servers. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on user workstations and laptops in order to recover mail messages. A recent offline backup of the businesses accounting/ERP software made it possible to return these vital services back available to users. Although significant work remained to recover totally from the Ryuk virus, core services were restored rapidly:


"For the most part, the production line operation was never shut down and we made all customer sales."

During the following few weeks key milestones in the recovery project were made through tight cooperation between Progent team members and the client:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory functions were 100% functional.
  • A new Palo Alto 850 firewall was installed and configured.
  • Ninety percent of the desktops and laptops were back into operation.

"So much of what went on in the initial days is nearly entirely a blur for me, but we will not forget the countless hours all of your team put in to give us our company back. Iíve utilized Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This situation was a stunning achievement."

Conclusion
A probable business disaster was averted through the efforts of top-tier professionals, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware attack described here should have been identified and disabled with up-to-date security technology and ISO/IEC 27001 best practices, staff training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thanks very much for letting me get rested after we got over the initial fire. Everyone did an fabulous job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in St. Louis a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation AI technology to detect new variants of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to address the entire threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you demonstrate compliance with legal and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also assist your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology providers to create ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and track your data backup processes and enable transparent backup and rapid recovery of important files/folders, apps, system images, plus VMs. ProSight DPS lets you protect against data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, user error, ill-intentioned employees, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to provide web-based control and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of inspection for incoming email. For outbound email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, reconfigure and debug their connectivity appliances like switches, firewalls, and access points plus servers, printers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding appliances that require important software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network running at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT management personnel and your Progent engineering consultant so any potential problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior-based analysis tools to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to automate the complete malware attack progression including blocking, detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Call Center managed services permit your IT staff to outsource Support Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house network support staff and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent supplement to your in-house IT support team. Client access to the Service Desk, delivery of support, escalation, ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive whether incidents are taken care of by your corporate network support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a flexible and cost-effective solution for assessing, validating, scheduling, applying, and tracking updates to your dynamic IT system. Besides maximizing the security and functionality of your computer network, Progent's software/firmware update management services permit your IT team to focus on line-of-business projects and activities that deliver maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a secured online account and give your password you are asked to verify your identity on a unit that only you have and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used for this added means of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can register several verification devices. For details about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services for access security.
For St. Louis 24-7 Ransomware Cleanup Services, reach out to Progent at 800-462-8800 or go to Contact Progent.