Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that presents an enterprise-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still cause damage. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as daily unnamed malware, not only encrypt online critical data but also infect most accessible system protection. Files synchronized to the cloud can also be corrupted. In a vulnerable environment, it can make any restore operations impossible and effectively sets the entire system back to zero.

Recovering programs and data after a ransomware event becomes a race against time as the targeted organization fights to stop lateral movement and clear the ransomware and to restore mission-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are often launched during nights and weekends, when successful attacks are likely to take more time to notice. This multiplies the difficulty of promptly marshalling and orchestrating an experienced mitigation team.

Progent offers a range of support services for protecting enterprises from ransomware events. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security appliances with artificial intelligence capabilities to quickly detect and suppress day-zero cyber threats. Progent in addition can provide the assistance of expert ransomware recovery professionals with the talent and commitment to restore a compromised environment as soon as possible.

Progent's Ransomware Recovery Services
After a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the needed codes to unencrypt any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the critical elements of your IT environment. Absent access to essential information backups, this calls for a wide range of IT skills, top notch project management, and the willingness to work non-stop until the job is complete.

For two decades, Progent has provided expert IT services for businesses in Downers Grove and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience affords Progent the skills to knowledgably determine critical systems and re-organize the remaining parts of your IT system after a ransomware event and assemble them into an operational network.

Progent's ransomware team of experts utilizes best of breed project management systems to orchestrate the complicated recovery process. Progent understands the importance of working rapidly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to put essential systems back on line as soon as possible.

Case Study: A Successful Crypto-Ransomware Attack Response
A client engaged Progent after their network was crashed by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state cybercriminals, suspected of adopting technology leaked from the United States NSA organization. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is one of the most lucrative iterations of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has about 500 workers. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (more than $200K) and hoping for good luck, but in the end utilized Progent.


"I cannot tell you enough in regards to the care Progent provided us during the most critical period of (our) companyís existence. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent team afforded us. The fact that you could get our e-mail and key applications back quicker than 1 week was beyond my wildest dreams. Every single expert I got help from or communicated with at Progent was laser focused on getting us operational and was working non-stop on our behalf."

Progent worked with the customer to rapidly determine and assign priority to the critical areas that had to be addressed to make it possible to continue business functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent adhered to ransomware penetration mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then began the task of bringing back online Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not function without Windows AD, and the customerís MRP applications utilized Microsoft SQL Server, which needs Windows AD for security authorization to the data.

In less than 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery on the most important applications. All Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to find intact OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops to recover mail data. A not too old off-line backup of the customerís accounting/ERP systems made them able to return these essential applications back servicing users. Although major work was left to recover completely from the Ryuk attack, critical services were recovered rapidly:


"For the most part, the assembly line operation did not miss a beat and we did not miss any customer shipments."

Over the next month important milestones in the restoration process were achieved through close collaboration between Progent consultants and the client:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
  • A new Palo Alto 850 security appliance was installed.
  • Most of the user PCs were fully operational.

"A lot of what happened that first week is mostly a blur for me, but we will not forget the commitment each of the team accomplished to help get our company back. I have entrusted Progent for the past ten years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A potential business disaster was avoided with dedicated professionals, a broad spectrum of technical expertise, and tight collaboration. Although in hindsight the crypto-ransomware incident detailed here should have been shut down with advanced cyber security solutions and best practices, staff training, and well designed incident response procedures for data backup and proper patching controls, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), Iím grateful for letting me get rested after we made it through the first week. Everyone did an fabulous job, and if any of your guys is around the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Downers Grove a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation AI technology to detect zero-day strains of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you prove compliance with legal and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and enables fast restoration of vital data, applications and virtual machines that have become unavailable or damaged due to hardware failures, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to provide centralized management and comprehensive security for all your email traffic. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map, track, reconfigure and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration information of almost all devices on your network, monitors performance, and generates notices when problems are detected. By automating tedious management activities, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that require critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so any potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect data about your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-Hour Downers Grove Crypto-Ransomware Remediation Consulting, call Progent at 800-993-9400 or go to Contact Progent.