Crypto-Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyber pandemic that poses an enterprise-level danger for organizations vulnerable to an attack. Multiple generations of crypto-ransomware such as Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and still cause harm. Recent variants of crypto-ransomware such as Ryuk and Hermes, along with frequent unnamed viruses, not only encrypt online critical data but also infiltrate any configured system restores and backups. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, this can make automated restore operations hopeless and basically knocks the datacenter back to zero.

Restoring applications and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain the damage and eradicate the ransomware and to resume business-critical operations. Since ransomware takes time to replicate, assaults are often sprung at night, when successful attacks may take more time to recognize. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable mitigation team.

Progent has a range of help services for securing businesses from crypto-ransomware attacks. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with artificial intelligence capabilities to automatically detect and quarantine day-zero cyber threats. Progent also offers the assistance of veteran crypto-ransomware recovery professionals with the talent and commitment to rebuild a compromised system as urgently as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the keys to decipher any of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the critical elements of your IT environment. Without the availability of essential data backups, this requires a wide complement of IT skills, professional team management, and the capability to work non-stop until the job is completed.

For two decades, Progent has provided expert Information Technology services for businesses in Durham and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience gives Progent the ability to quickly understand important systems and re-organize the surviving pieces of your IT environment following a ransomware attack and assemble them into an operational system.

Progent's ransomware team of experts deploys state-of-the-art project management applications to coordinate the complex restoration process. Progent knows the importance of working swiftly and together with a client's management and Information Technology team members to prioritize tasks and to put key services back on-line as soon as possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their organization was penetrated by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored hackers, possibly adopting approaches leaked from Americaís NSA organization. Ryuk targets specific companies with limited room for operational disruption and is among the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago with about 500 staff members. The Ryuk intrusion had disabled all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but in the end called Progent.


"I canít thank you enough about the support Progent gave us during the most critical period of (our) businesses life. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts provided us. That you could get our messaging and essential applications back on-line in less than five days was amazing. Each consultant I got help from or messaged at Progent was urgently focused on getting my company operational and was working all day and night on our behalf."

Progent worked together with the customer to rapidly assess and prioritize the key areas that had to be addressed in order to restart departmental operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Financials/MRP
To get going, Progent followed AV/Malware Processes incident response best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the steps of rebuilding Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the client's financials and MRP applications leveraged Microsoft SQL, which needs Windows AD for authentication to the data.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated rebuilding and storage recovery of critical systems. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Offline Folder Files) on team desktop computers to recover mail messages. A not too old off-line backup of the customerís financials/MRP systems made it possible to restore these required applications back servicing users. Although major work still had to be done to recover fully from the Ryuk virus, core systems were restored rapidly:


"For the most part, the production operation survived unscathed and we produced all customer sales."

Throughout the following month key milestones in the restoration project were achieved in close cooperation between Progent engineers and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto 850 security appliance was deployed.
  • Nearly all of the user workstations were operational.

"A huge amount of what went on that first week is mostly a fog for me, but I will not forget the care each and every one of you accomplished to help get our business back. Iíve been working with Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A likely business-ending disaster was averted by results-oriented professionals, a broad range of subject matter expertise, and close collaboration. Although in retrospect the crypto-ransomware attack detailed here should have been identified and stopped with current cyber security technology solutions and security best practices, user education, and properly executed incident response procedures for backup and applying software patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we made it over the first week. Everyone did an impressive effort, and if anyone is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Durham a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to address the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and automatic system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry information security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help your company to set up and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical data, apps and virtual machines that have become lost or corrupted as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to set up ProSight DPS to to comply with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and troubleshoot their networking hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network maps are always current, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, finding devices that require critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so that all looming problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7/365 Durham Crypto Repair Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.