Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an existential threat for organizations vulnerable to an attack. Multiple generations of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with frequent unnamed viruses, not only do encryption of on-line data but also infect many accessible system restores and backups. Files replicated to cloud environments can also be corrupted. In a poorly architected system, this can make any restore operations impossible and basically sets the network back to zero.

Getting back online applications and information following a ransomware event becomes a race against time as the targeted business struggles to contain the damage and clear the crypto-ransomware and to resume mission-critical operations. Since ransomware needs time to move laterally, assaults are usually sprung during nights and weekends, when successful attacks tend to take longer to identify. This compounds the difficulty of quickly assembling and organizing a qualified mitigation team.

Progent offers a variety of solutions for securing businesses from ransomware attacks. Among these are team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence capabilities to automatically discover and disable new cyber threats. Progent in addition offers the assistance of experienced crypto-ransomware recovery engineers with the skills and perseverance to restore a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
After a ransomware penetration, paying the ransom in cryptocurrency does not ensure that distant criminals will provide the codes to unencrypt any of your information. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the essential parts of your IT environment. Absent the availability of full system backups, this requires a wide complement of IT skills, professional team management, and the capability to work non-stop until the job is complete.

For two decades, Progent has offered expert IT services for businesses in Madison and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience affords Progent the ability to quickly determine critical systems and re-organize the remaining components of your computer network environment after a ransomware event and assemble them into a functioning network.

Progent's security team deploys state-of-the-art project management systems to coordinate the complex recovery process. Progent knows the urgency of acting rapidly and in unison with a client's management and IT staff to prioritize tasks and to put essential systems back on-line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business sought out Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored hackers, suspected of adopting techniques leaked from the United States National Security Agency. Ryuk targets specific businesses with little tolerance for operational disruption and is among the most profitable versions of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area and has about 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately reached out to Progent.


"I cannot speak enough about the care Progent provided us throughout the most critical period of (our) businesses life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group gave us. That you were able to get our e-mail system and key applications back on-line faster than a week was something I thought impossible. Each expert I spoke to or texted at Progent was urgently focused on getting us back online and was working day and night on our behalf."

Progent worked hand in hand the client to quickly identify and prioritize the most important areas that had to be restored to make it possible to resume departmental operations:

  • Active Directory (AD)
  • Email
  • Financials/MRP
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by stopping lateral movement and disinfecting systems. Progent then began the process of restoring Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft technology. Exchange messaging will not operate without AD, and the client's MRP applications used Microsoft SQL Server, which needs Active Directory services for authentication to the data.

In less than 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery on the most important applications. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Data Files) on various PCs to recover email messages. A recent off-line backup of the businesses accounting systems made it possible to restore these required applications back servicing users. Although a lot of work remained to recover completely from the Ryuk damage, the most important services were restored rapidly:


"For the most part, the production operation survived unscathed and we delivered all customer sales."

Over the following few weeks key milestones in the restoration process were achieved in tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control capabilities were completely restored.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the user desktops were fully operational.

"A huge amount of what happened in the early hours is mostly a blur for me, but my team will not forget the care each and every one of the team put in to help get our business back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This situation was a Herculean accomplishment."

Conclusion
A possible company-ending catastrophe was dodged due to results-oriented professionals, a broad spectrum of subject matter expertise, and close collaboration. Although in hindsight the crypto-ransomware virus penetration detailed here could have been shut down with advanced security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for information backup and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus defense, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for making it so I could get some sleep after we made it past the initial push. Everyone did an amazing effort, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Madison a range of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include next-generation AI capability to uncover new strains of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including blocking, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of vital files, applications and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery consultants can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to deliver centralized control and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your network firewall. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, enhance and troubleshoot their connectivity appliances like switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that need important software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so all potential problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect information related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your network documentation, you can save up to 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Read more about ProSight IT Asset Management service.
For Madison 24/7/365 CryptoLocker Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.