Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to inflict harm. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with daily as yet unnamed viruses, not only do encryption of on-line files but also infect any available system restores and backups. Data replicated to the cloud can also be ransomed. In a poorly architected environment, it can render any restore operations impossible and effectively knocks the datacenter back to square one.

Retrieving services and information after a ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain the damage and cleanup the ransomware and to resume enterprise-critical activity. Because ransomware requires time to move laterally, penetrations are often launched on weekends and holidays, when penetrations in many cases take more time to discover. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable mitigation team.

Progent has a range of support services for securing organizations from crypto-ransomware events. These include staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with artificial intelligence technology to quickly detect and quarantine day-zero cyber attacks. Progent in addition provides the services of veteran ransomware recovery professionals with the skills and perseverance to re-deploy a compromised network as rapidly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the keys to decipher any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to piece back together the vital components of your IT environment. Without the availability of complete information backups, this requires a broad range of skill sets, professional project management, and the ability to work non-stop until the job is complete.

For two decades, Progent has offered expert Information Technology services for companies in Durham and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience gives Progent the ability to quickly identify necessary systems and integrate the surviving components of your Information Technology environment after a crypto-ransomware attack and rebuild them into an operational network.

Progent's ransomware group has top notch project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of working swiftly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get the most important systems back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Virus Response
A customer hired Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, suspected of adopting technology exposed from Americaís National Security Agency. Ryuk targets specific businesses with little or no tolerance for operational disruption and is one of the most lucrative instances of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago with around 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the start of the attack and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and praying for good luck, but in the end called Progent.


"I cannot tell you enough about the help Progent gave us during the most critical time of (our) companyís life. We would have paid the Hackers if not for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and key applications back online faster than seven days was beyond my wildest dreams. Each consultant I got help from or texted at Progent was urgently focused on getting us back online and was working day and night to bail us out."

Progent worked with the client to quickly get our arms around and prioritize the key systems that needed to be restored to make it possible to restart departmental operations:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to Anti-virus event response industry best practices by stopping the spread and cleaning up infected systems. Progent then began the work of rebuilding Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the client's accounting and MRP software leveraged SQL Server, which needs Active Directory for access to the data.

In less than two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery on critical servers. All Microsoft Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Folder Files) on team workstations and laptops in order to recover email messages. A not too old offline backup of the customerís accounting software made them able to restore these vital applications back online. Although major work needed to be completed to recover fully from the Ryuk attack, essential services were restored rapidly:


"For the most part, the production line operation was never shut down and we made all customer shipments."

Over the following few weeks important milestones in the recovery process were completed in tight cooperation between Progent consultants and the customer:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Server exceeding four million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were fully functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Most of the desktop computers were being used by staff.

"Much of what transpired that first week is mostly a blur for me, but I will not forget the dedication all of you accomplished to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely business extinction disaster was averted with dedicated experts, a wide spectrum of knowledge, and tight teamwork. Although in post mortem the ransomware incident detailed here could have been stopped with current security technology and security best practices, user training, and well designed incident response procedures for data backup and applying software patches, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get some sleep after we made it over the initial push. All of you did an incredible effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Durham a range of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate next-generation AI capability to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to address the complete malware attack progression including blocking, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique needs and that allows you prove compliance with legal and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup technology providers to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and fast restoration of important files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or software bugs. Managed backup services in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security vendors to provide centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, optimize and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT personnel and your Progent engineering consultant so that all potential problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
For 24/7/365 Durham Crypto Removal Help, reach out to Progent at 800-462-8800 or go to Contact Progent.