Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause harm. Recent strains of ransomware like Ryuk and Hermes, as well as additional as yet unnamed viruses, not only do encryption of on-line information but also infect all configured system protection mechanisms. Information synchronized to cloud environments can also be rendered useless. In a vulnerable data protection solution, it can render automated restore operations useless and basically knocks the network back to zero.

Getting back online programs and information after a ransomware event becomes a sprint against time as the targeted business fights to stop the spread and cleanup the virus and to resume business-critical activity. Because ransomware takes time to spread, attacks are often sprung during weekends and nights, when penetrations may take more time to uncover. This compounds the difficulty of quickly marshalling and organizing a capable response team.

Progent provides an assortment of support services for protecting enterprises from ransomware penetrations. These include team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence capabilities to intelligently identify and suppress day-zero threats. Progent also can provide the assistance of experienced ransomware recovery professionals with the talent and perseverance to rebuild a compromised network as urgently as possible.

Progent's Ransomware Restoration Help
After a ransomware attack, even paying the ransom in cryptocurrency does not ensure that merciless criminals will provide the codes to decrypt any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Without the availability of full system backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work non-stop until the task is over.

For decades, Progent has made available professional Information Technology services for businesses in Madison and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience provides Progent the capability to efficiently determine important systems and organize the surviving parts of your network environment after a ransomware attack and assemble them into a functioning network.

Progent's ransomware group uses top notch project management tools to coordinate the complex recovery process. Progent understands the urgency of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to put the most important applications back on line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business contacted Progent after their network system was penetrated by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, possibly adopting technology exposed from Americaís National Security Agency. Ryuk targets specific businesses with little or no room for disruption and is among the most lucrative examples of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has around 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. The majority of the client's data protection had been on-line at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately engaged Progent.


"I cannot speak enough in regards to the help Progent provided us during the most stressful time of (our) companyís life. We most likely would have paid the cybercriminals except for the confidence the Progent group provided us. That you could get our e-mail system and key servers back online faster than a week was something I thought impossible. Each person I got help from or communicated with at Progent was totally committed on getting us operational and was working at all hours to bail us out."

Progent worked with the client to quickly get our arms around and assign priority to the key areas that had to be addressed in order to continue company operations:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To start, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the steps of restoring Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not function without Active Directory, and the customerís financials and MRP applications used Microsoft SQL Server, which depends on Active Directory for security authorization to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then completed reinstallations and hard drive recovery of essential applications. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Email Offline Data Files) on user workstations and laptops to recover mail data. A not too old offline backup of the client's financials/ERP software made it possible to return these vital services back on-line. Although a lot of work remained to recover fully from the Ryuk event, essential systems were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer sales."

Over the following month key milestones in the restoration project were made through close cooperation between Progent team members and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control functions were completely restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Most of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what happened that first week is nearly entirely a haze for me, but we will not forget the commitment each and every one of your team accomplished to help get our business back. Iíve been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A likely enterprise-killing disaster was dodged with top-tier professionals, a wide range of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware incident described here could have been identified and blocked with modern cyber security solutions and ISO/IEC 27001 best practices, team education, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get rested after we got past the first week. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Madison a portfolio of remote monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day variants of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the complete threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for immediate action. Progent's consultants can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost and fully managed service for secure backup/disaster recovery. For a low monthly rate, ProSight DPS automates and monitors your backup activities and allows fast restoration of critical files, apps and VMs that have become unavailable or corrupted as a result of component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can provide world-class expertise to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to provide web-based management and comprehensive security for your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, locating devices that require critical software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT management personnel and your assigned Progent consultant so any potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Madison Ransomware Cleanup Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.