Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that represents an existential danger for organizations poorly prepared for an attack. Multiple generations of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with additional unnamed newcomers, not only encrypt on-line data but also infiltrate any available system protection. Data synched to the cloud can also be ransomed. In a poorly architected environment, this can render any restore operations impossible and basically knocks the entire system back to square one.

Getting back services and data following a ransomware outage becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the ransomware and to resume mission-critical activity. Because ransomware takes time to spread, penetrations are frequently launched at night, when successful attacks typically take more time to recognize. This compounds the difficulty of promptly assembling and orchestrating an experienced response team.

Progent has an assortment of solutions for protecting enterprises from ransomware attacks. These include staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security solutions with machine learning technology to automatically detect and disable new threats. Progent also can provide the services of veteran ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as soon as possible.

Progent's Ransomware Recovery Services
After a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decipher any of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the essential components of your IT environment. Without the availability of full data backups, this calls for a wide complement of skill sets, top notch team management, and the capability to work non-stop until the job is completed.

For twenty years, Progent has made available certified expert Information Technology services for businesses in Edmonton and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of experience provides Progent the capability to quickly identify critical systems and integrate the surviving components of your IT environment following a ransomware event and configure them into an operational system.

Progent's ransomware team uses best of breed project management tools to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and in concert with a customerís management and IT resources to prioritize tasks and to put the most important services back on line as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Intrusion Response
A client hired Progent after their organization was crashed by Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored cybercriminals, suspected of adopting strategies exposed from the United States NSA organization. Ryuk targets specific organizations with little or no room for disruption and is one of the most profitable iterations of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago and has about 500 workers. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for good luck, but in the end called Progent.


"I canít tell you enough about the support Progent provided us throughout the most fearful period of (our) companyís survival. We would have paid the cyber criminals except for the confidence the Progent team afforded us. The fact that you could get our e-mail system and critical applications back on-line sooner than five days was something I thought impossible. Each staff member I interacted with or communicated with at Progent was amazingly focused on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the customer to quickly determine and prioritize the mission critical services that had to be recovered in order to resume company operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent followed Anti-virus event mitigation industry best practices by isolating and removing active viruses. Progent then began the work of rebuilding Windows Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the client's MRP software used SQL Server, which requires Active Directory for authentication to the data.

Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then assisted with setup and hard drive recovery of needed systems. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team workstations in order to recover email information. A recent off-line backup of the customerís manufacturing systems made it possible to restore these vital programs back on-line. Although major work needed to be completed to recover totally from the Ryuk attack, critical systems were recovered quickly:


"For the most part, the production operation survived unscathed and we made all customer shipments."

Throughout the following few weeks important milestones in the restoration project were completed in tight cooperation between Progent engineers and the customer:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Server exceeding four million historical emails was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% restored.
  • A new Palo Alto 850 security appliance was set up.
  • Most of the desktops and laptops were operational.

"So much of what went on during the initial response is nearly entirely a haze for me, but we will not soon forget the dedication each and every one of you accomplished to help get our business back. Iíve trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A likely business catastrophe was averted by hard-working experts, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware penetration detailed here could have been blocked with modern cyber security systems and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate security procedures for data backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has proven experience in crypto-ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), Iím grateful for letting me get rested after we made it over the most critical parts. Everyone did an fabulous job, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Edmonton a variety of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight ASM protects local and cloud resources and offers a single platform to manage the entire malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and enables fast restoration of vital files, applications and VMs that have become lost or damaged as a result of hardware failures, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security vendors to provide centralized control and world-class protection for all your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, monitor, optimize and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating tedious management activities, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your network running at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that all looming problems can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about ProSight IT Asset Management service.
For Edmonton 24x7x365 Crypto-Ransomware Repair Help, contact Progent at 800-993-9400 or go to Contact Progent.