Crypto-Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an existential danger for businesses unprepared for an attack. Different versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for years and continue to inflict destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus additional as yet unnamed newcomers, not only do encryption of on-line critical data but also infiltrate all configured system backups. Files replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can render automated restore operations hopeless and effectively sets the entire system back to zero.

Retrieving programs and data following a crypto-ransomware attack becomes a sprint against time as the victim tries its best to stop the spread and remove the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are frequently launched during nights and weekends, when penetrations are likely to take longer to identify. This multiplies the difficulty of promptly mobilizing and orchestrating a capable mitigation team.

Progent offers a range of solutions for protecting enterprises from crypto-ransomware events. Among these are team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security solutions with artificial intelligence technology to intelligently identify and extinguish zero-day cyber attacks. Progent in addition offers the assistance of experienced ransomware recovery professionals with the skills and perseverance to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to unencrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to setup from scratch the vital parts of your IT environment. Absent the availability of essential system backups, this requires a wide range of skill sets, top notch team management, and the capability to work continuously until the recovery project is finished.

For decades, Progent has provided professional IT services for businesses in Skokie and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience provides Progent the skills to efficiently identify important systems and re-organize the remaining pieces of your computer network system after a ransomware event and assemble them into a functioning network.

Progent's recovery team of experts has best of breed project management systems to orchestrate the complicated recovery process. Progent knows the importance of acting rapidly and together with a client's management and Information Technology resources to prioritize tasks and to get the most important systems back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A client contacted Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored criminal gangs, suspected of adopting algorithms exposed from the U.S. National Security Agency. Ryuk targets specific businesses with limited tolerance for disruption and is one of the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk attack had brought down all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.


"I canít tell you enough about the support Progent provided us during the most critical time of (our) companyís life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent group gave us. That you could get our e-mail and essential servers back on-line faster than five days was amazing. Every single expert I talked with or e-mailed at Progent was absolutely committed on getting us restored and was working at all hours on our behalf."

Progent worked together with the customer to rapidly assess and prioritize the essential applications that had to be recovered to make it possible to resume departmental operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and cleaning systems of viruses. Progent then initiated the work of rebuilding Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the customerís financials and MRP applications leveraged Microsoft SQL, which needs Active Directory services for authentication to the database.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then helped perform setup and hard drive recovery on critical applications. All Microsoft Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Off-Line Folder Files) on team desktop computers to recover email information. A not too old off-line backup of the customerís accounting/MRP software made them able to restore these essential programs back available to users. Although a lot of work remained to recover fully from the Ryuk event, core services were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."

During the next couple of weeks critical milestones in the restoration process were completed in tight cooperation between Progent engineers and the customer:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory functions were completely restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the user workstations were fully operational.

"So much of what happened those first few days is mostly a haze for me, but my management will not forget the care all of you accomplished to help get our company back. Iíve entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This time was the most impressive ever."

Conclusion
A possible enterprise-killing catastrophe was evaded by results-oriented experts, a wide array of technical expertise, and tight collaboration. Although in post mortem the ransomware attack described here could have been identified and disabled with advanced security technology and best practices, team education, and properly executed incident response procedures for information backup and applying software patches, the reality remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for allowing me to get rested after we made it over the initial fire. Everyone did an fabulous effort, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Skokie a range of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services utilize next-generation machine learning capability to detect new variants of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to address the complete threat progression including blocking, infiltration detection, containment, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also help your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates your backup activities and enables fast recovery of critical data, applications and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver world-class support to configure ProSight DPS to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, when needed, can assist you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security vendors to provide web-based management and comprehensive protection for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, track, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding appliances that require critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system running at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that any looming problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to a different hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can save up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.
For Skokie 24-Hour Ransomware Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.