Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for organizations poorly prepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with daily as yet unnamed newcomers, not only do encryption of online files but also infiltrate all configured system backups. Data synchronized to cloud environments can also be rendered useless. In a vulnerable environment, this can make automatic restore operations impossible and effectively sets the entire system back to zero.

Restoring services and information after a ransomware intrusion becomes a race against time as the targeted business struggles to stop lateral movement and cleanup the virus and to restore business-critical activity. Due to the fact that ransomware takes time to spread, assaults are frequently sprung during weekends and nights, when successful attacks typically take more time to notice. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent provides a variety of help services for securing businesses from ransomware penetrations. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and quarantine zero-day threats quickly. Progent also can provide the assistance of seasoned crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to decipher all your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the essential elements of your IT environment. Without the availability of full data backups, this requires a wide complement of skills, top notch project management, and the ability to work 24x7 until the recovery project is over.

For twenty years, Progent has provided certified expert Information Technology services for businesses in Vitória and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience affords Progent the capability to knowledgably determine important systems and re-organize the remaining parts of your network environment after a ransomware event and configure them into an operational system.

Progent's ransomware team of experts deploys top notch project management tools to orchestrate the complex recovery process. Progent understands the importance of working rapidly and in concert with a customer's management and Information Technology resources to prioritize tasks and to put the most important applications back online as fast as humanly possible.

Case Study: A Successful Ransomware Attack Restoration
A client contacted Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, suspected of adopting algorithms exposed from America's NSA organization. Ryuk attacks specific organizations with limited tolerance for operational disruption and is among the most profitable instances of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area with about 500 workers. The Ryuk penetration had frozen all business operations and manufacturing processes. The majority of the client's data backups had been online at the time of the attack and were eventually encrypted. The client considered paying the ransom demand (exceeding $200,000) and hoping for the best, but ultimately utilized Progent.


"I can't thank you enough in regards to the support Progent gave us during the most critical time of (our) businesses survival. We would have paid the cybercriminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and important applications back into operation sooner than five days was incredible. Each expert I talked with or e-mailed at Progent was laser focused on getting us working again and was working 24 by 7 to bail us out."

Progent worked together with the client to quickly understand and prioritize the key areas that needed to be recovered in order to restart company operations:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes incident response industry best practices by halting lateral movement and disinfecting systems. Progent then initiated the steps of restoring Microsoft AD, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not work without AD, and the client's MRP system used Microsoft SQL, which needs Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then performed setup and hard drive recovery on essential servers. All Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Off-Line Folder Files) on staff workstations to recover mail data. A recent offline backup of the client's accounting systems made it possible to recover these essential programs back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, the most important services were recovered quickly:


"For the most part, the production manufacturing operation was never shut down and we did not miss any customer sales."

Throughout the next month important milestones in the recovery project were achieved through close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were returned to operation with no loss of data.
  • The MailStore Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were fully restored.
  • A new Palo Alto 850 firewall was set up.
  • 90% of the user workstations were fully operational.

"A lot of what occurred that first week is mostly a haze for me, but my team will not soon forget the dedication each and every one of the team accomplished to help get our business back. I've trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered. This event was a life saver."

Conclusion
A possible business-killing disaster was evaded due to hard-working experts, a wide spectrum of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here could have been identified and disabled with current security solutions and ISO/IEC 27001 best practices, staff education, and well designed security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get some sleep after we made it through the initial push. All of you did an incredible effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Vitória a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate modern machine learning technology to uncover new strains of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and enable non-disruptive backup and fast recovery of critical files/folders, apps, system images, plus virtual machines. ProSight DPS lets your business recover from data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, malicious employees, or software bugs. Managed services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight Altaro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to deliver centralized management and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of inspection for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, track, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends alerts when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, locating appliances that need important updates, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time spent looking for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based machine learning tools to defend endpoints and servers and VMs against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to address the complete threat lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Support Desk Managed Services
    Progent's Call Center services allow your IT group to outsource Call Center services to Progent or divide responsibilities for support services transparently between your in-house network support resources and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your core support resources. User interaction with the Help Desk, provision of support, issue escalation, ticket creation and tracking, performance measurement, and management of the support database are consistent regardless of whether incidents are taken care of by your corporate network support staff, by Progent's team, or by a combination. Find out more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and affordable alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your computer environment, Progent's patch management services allow your in-house IT team to focus on line-of-business projects and activities that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you sign into a secured application and enter your password you are requested to confirm who you are via a unit that only you possess and that uses a different network channel. A broad selection of devices can be utilized as this added means of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register several verification devices. To find out more about Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.
For Vitória 24/7 Crypto-Ransomware Remediation Support Services, contact Progent at 800-462-8800 or go to Contact Progent.