Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses vulnerable to an assault. Multiple generations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to inflict harm. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus daily as yet unnamed viruses, not only encrypt on-line critical data but also infect all available system backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can render automatic restoration hopeless and basically knocks the datacenter back to square one.

Restoring applications and data after a ransomware outage becomes a race against time as the victim struggles to stop the spread and remove the virus and to resume mission-critical operations. Since ransomware takes time to replicate, assaults are often launched on weekends and holidays, when penetrations in many cases take more time to recognize. This compounds the difficulty of rapidly mobilizing and coordinating a capable mitigation team.

Progent provides a variety of support services for securing organizations from ransomware penetrations. These include team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with artificial intelligence capabilities to quickly discover and quarantine new cyber threats. Progent also offers the assistance of experienced ransomware recovery consultants with the track record and commitment to reconstruct a breached system as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that distant criminals will provide the needed codes to decipher any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the essential components of your IT environment. Absent access to complete system backups, this calls for a broad range of skill sets, professional project management, and the capability to work 24x7 until the recovery project is completed.

For decades, Progent has offered expert Information Technology services for businesses in Harrisburg and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of experience provides Progent the skills to efficiently understand critical systems and re-organize the remaining parts of your Information Technology environment after a ransomware event and configure them into a functioning network.

Progent's ransomware team of experts deploys best of breed project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of acting rapidly and together with a client's management and IT staff to prioritize tasks and to put the most important systems back online as fast as possible.

Customer Case Study: A Successful Ransomware Intrusion Recovery
A client contacted Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored criminal gangs, suspected of adopting technology leaked from the United States National Security Agency. Ryuk attacks specific companies with little room for operational disruption and is among the most profitable incarnations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago with about 500 staff members. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and praying for good luck, but ultimately utilized Progent.


"I canít thank you enough about the care Progent provided us throughout the most fearful period of (our) businesses survival. We most likely would have paid the criminal gangs if not for the confidence the Progent group gave us. The fact that you could get our e-mail and critical servers back online quicker than five days was incredible. Every single consultant I got help from or e-mailed at Progent was amazingly focused on getting us operational and was working 24/7 to bail us out."

Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the key services that needed to be restored to make it possible to restart company operations:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus event response best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the work of restoring Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the businessesí MRP system utilized SQL Server, which needs Windows AD for authentication to the databases.

In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery of essential applications. All Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on user workstations to recover mail information. A recent offline backup of the client's accounting/MRP systems made it possible to return these required programs back available to users. Although significant work still had to be done to recover completely from the Ryuk event, essential services were returned to operations quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer shipments."

Throughout the next couple of weeks critical milestones in the restoration project were made through tight collaboration between Progent team members and the client:

  • In-house web applications were restored without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100% operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Most of the user desktops were operational.

"So much of what happened those first few days is nearly entirely a blur for me, but my management will not soon forget the commitment each and every one of your team accomplished to give us our company back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely business-ending disaster was avoided with dedicated experts, a broad array of IT skills, and tight teamwork. Although in post mortem the ransomware virus penetration detailed here would have been shut down with up-to-date security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for letting me get some sleep after we got past the most critical parts. Everyone did an impressive effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Harrisburg a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect new variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a single platform to address the entire threat lifecycle including blocking, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your company's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate action. Progent's consultants can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of vital files, apps and virtual machines that have become lost or corrupted as a result of component breakdowns, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can deliver world-class support to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to provide web-based control and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and debug their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept updated, captures and manages the configuration of almost all devices on your network, tracks performance, and sends notices when issues are discovered. By automating complex network management activities, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that require important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent consultant so that all looming issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Harrisburg 24x7 CryptoLocker Remediation Help, call Progent at 800-993-9400 or go to Contact Progent.