Crypto-Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an enterprise-level threat for businesses unprepared for an attack. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to inflict harm. Newer variants of crypto-ransomware like Ryuk and Hermes, as well as daily as yet unnamed newcomers, not only encrypt on-line critical data but also infiltrate many configured system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, it can render automatic recovery hopeless and effectively sets the network back to zero.

Restoring services and data after a ransomware attack becomes a race against the clock as the targeted organization tries its best to contain and eradicate the virus and to restore enterprise-critical activity. Due to the fact that ransomware takes time to replicate, attacks are usually sprung on weekends, when penetrations typically take longer to detect. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent has an assortment of help services for protecting businesses from crypto-ransomware penetrations. These include user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security gateways with artificial intelligence capabilities to rapidly discover and suppress new threats. Progent also can provide the assistance of expert ransomware recovery consultants with the track record and commitment to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware event, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the keys to decipher any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the key components of your Information Technology environment. Absent the availability of full information backups, this requires a broad complement of skills, top notch project management, and the ability to work non-stop until the task is over.

For two decades, Progent has made available certified expert Information Technology services for businesses in Chesapeake and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise provides Progent the capability to rapidly determine necessary systems and re-organize the remaining parts of your computer network environment after a ransomware attack and rebuild them into a functioning network.

Progent's security team utilizes powerful project management tools to coordinate the complex restoration process. Progent understands the urgency of acting swiftly and in concert with a customerís management and IT staff to prioritize tasks and to put essential services back on-line as fast as humanly possible.

Client Case Study: A Successful Ransomware Virus Recovery
A small business contacted Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, possibly using techniques leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no tolerance for disruption and is one of the most profitable examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end brought in Progent.


"I canít thank you enough about the support Progent gave us throughout the most fearful period of (our) businesses survival. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and essential applications back online faster than 1 week was incredible. Every single expert I worked with or messaged at Progent was urgently focused on getting our system up and was working at all hours on our behalf."

Progent worked with the customer to quickly assess and assign priority to the key areas that needed to be restored to make it possible to restart company functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent followed Anti-virus event response best practices by isolating and cleaning systems of viruses. Progent then initiated the process of recovering Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Windows AD, and the businessesí MRP software leveraged Microsoft SQL Server, which requires Active Directory for authentication to the data.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with reinstallations and storage recovery of critical servers. All Exchange ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on staff PCs to recover email information. A recent off-line backup of the businesses financials/MRP systems made them able to restore these required programs back available to users. Although major work remained to recover fully from the Ryuk damage, the most important services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."

During the following few weeks key milestones in the restoration process were accomplished in close cooperation between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Exchange Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the user desktops were operational.

"So much of what was accomplished in the early hours is nearly entirely a fog for me, but my team will not soon forget the commitment all of you put in to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was a life saver."

Conclusion
A likely business catastrophe was averted due to results-oriented experts, a broad spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here could have been identified and stopped with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has substantial experience in ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get some sleep after we made it over the initial fire. Everyone did an fabulous job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Chesapeake a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include modern machine learning technology to detect new strains of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and allows fast restoration of critical data, apps and VMs that have become lost or damaged due to hardware failures, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's BDR consultants can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your business-critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security vendors to deliver centralized management and world-class security for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, optimize and debug their networking appliances such as routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating complex management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, locating devices that need important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so all potential issues can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Chesapeake 24-Hour Ransomware Removal Experts, call Progent at 800-993-9400 or go to Contact Progent.