Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that represents an existential danger for businesses poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict damage. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional unnamed malware, not only do encryption of online information but also infect any available system backups. Files replicated to the cloud can also be ransomed. In a poorly designed environment, this can render automated restore operations impossible and basically sets the datacenter back to square one.

Recovering services and information following a ransomware attack becomes a sprint against time as the targeted business struggles to contain and eradicate the virus and to resume mission-critical operations. Due to the fact that ransomware takes time to replicate, assaults are often sprung during weekends and nights, when attacks are likely to take more time to identify. This compounds the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent has an assortment of solutions for securing organizations from ransomware penetrations. These include team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with machine learning technology to automatically identify and suppress new cyber threats. Progent also can provide the services of experienced ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware event, paying the ransom in cryptocurrency does not guarantee that criminal gangs will return the needed codes to unencrypt any of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the essential elements of your Information Technology environment. Without access to full data backups, this calls for a broad complement of skill sets, well-coordinated team management, and the ability to work non-stop until the recovery project is done.

For decades, Progent has provided professional IT services for companies in Skokie and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to quickly understand necessary systems and integrate the surviving components of your Information Technology system after a ransomware attack and rebuild them into an operational system.

Progent's ransomware group deploys powerful project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of acting rapidly and together with a customerís management and Information Technology resources to prioritize tasks and to put key applications back on-line as soon as possible.

Customer Story: A Successful Ransomware Penetration Recovery
A customer sought out Progent after their organization was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, suspected of using strategies exposed from the United States National Security Agency. Ryuk attacks specific organizations with little ability to sustain operational disruption and is among the most profitable examples of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the intrusion and were encrypted. The client was evaluating paying the ransom (more than $200K) and hoping for the best, but ultimately reached out to Progent.


"I canít tell you enough about the support Progent provided us throughout the most stressful time of (our) companyís life. We had little choice but to pay the cybercriminals except for the confidence the Progent experts afforded us. That you were able to get our e-mail system and key applications back sooner than five days was amazing. Each person I worked with or e-mailed at Progent was amazingly focused on getting us back online and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly understand and assign priority to the key systems that had to be addressed to make it possible to resume departmental functions:

  • Active Directory
  • Email
  • Accounting/MRP
To begin, Progent adhered to Anti-virus incident response industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the work of recovering Windows Active Directory, the core of enterprise networks built on Microsoft technology. Exchange messaging will not operate without Windows AD, and the client's MRP applications used Microsoft SQL Server, which requires Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery of needed applications. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Data Files) on team desktop computers to recover mail information. A not too old off-line backup of the businesses accounting software made them able to recover these vital applications back online. Although significant work still had to be done to recover totally from the Ryuk virus, critical systems were restored quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer deliverables."

During the following month critical milestones in the restoration project were completed through tight collaboration between Progent consultants and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Nearly all of the user workstations were fully operational.

"So much of what was accomplished those first few days is mostly a fog for me, but I will not soon forget the care all of you accomplished to help get our business back. I have trusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a life saver."

Conclusion
A likely business-killing disaster was evaded by top-tier experts, a wide spectrum of technical expertise, and close collaboration. Although in retrospect the ransomware virus incident described here should have been identified and prevented with modern security technology solutions and security best practices, user training, and properly executed security procedures for backup and proper patching controls, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for making it so I could get some sleep after we got past the initial fire. All of you did an incredible job, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Skokie a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation AI technology to uncover new strains of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to address the entire malware attack progression including blocking, identification, mitigation, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through cutting-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent can also assist your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates your backup activities and allows fast recovery of critical files, apps and VMs that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide advanced support to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized control and world-class protection for your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of analysis for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, track, enhance and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that network diagrams are always current, captures and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating complex network management processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating devices that require critical software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT personnel and your Progent consultant so that any potential problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate up to 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Skokie 24/7/365 Ransomware Remediation Help, contact Progent at 800-462-8800 or go to Contact Progent.