Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that poses an extinction-level danger for businesses vulnerable to an assault. Versions of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict havoc. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as additional as yet unnamed malware, not only encrypt online data files but also infiltrate all accessible system backup. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render automated restore operations hopeless and effectively knocks the entire system back to square one.

Recovering programs and data following a ransomware outage becomes a sprint against the clock as the victim tries its best to stop lateral movement and clear the ransomware and to resume mission-critical activity. Since ransomware needs time to move laterally, assaults are often sprung during nights and weekends, when attacks in many cases take more time to notice. This compounds the difficulty of quickly assembling and organizing a knowledgeable mitigation team.

Progent offers an assortment of support services for securing businesses from crypto-ransomware events. These include user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning technology to intelligently identify and extinguish zero-day cyber threats. Progent in addition provides the services of seasoned crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Restoration Help
Following a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to decrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the critical elements of your IT environment. Without the availability of full system backups, this calls for a wide range of IT skills, well-coordinated team management, and the capability to work continuously until the task is finished.

For decades, Progent has provided expert IT services for companies in Minneapolis and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to efficiently identify necessary systems and re-organize the remaining components of your computer network system after a crypto-ransomware event and rebuild them into a functioning network.

Progent's ransomware team of experts has powerful project management tools to orchestrate the sophisticated restoration process. Progent appreciates the urgency of acting quickly and in concert with a customerís management and Information Technology resources to prioritize tasks and to put critical applications back on-line as fast as humanly possible.

Client Story: A Successful Ransomware Intrusion Recovery
A small business escalated to Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean state sponsored cybercriminals, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk targets specific organizations with little room for disruption and is one of the most lucrative examples of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's backups had been online at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (in excess of $200,000) and praying for the best, but ultimately brought in Progent.


"I cannot thank you enough about the support Progent provided us throughout the most stressful period of (our) businesses existence. We may have had to pay the hackers behind this attack except for the confidence the Progent team provided us. That you could get our e-mail system and critical servers back on-line sooner than one week was incredible. Each staff member I got help from or communicated with at Progent was urgently focused on getting our company operational and was working day and night to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the essential areas that had to be addressed to make it possible to resume departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent followed Anti-virus penetration response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the work of restoring Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the customerís financials and MRP software leveraged Microsoft SQL Server, which depends on Active Directory for access to the information.

In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then initiated setup and storage recovery of the most important systems. All Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Folder Files) on team desktop computers to recover mail messages. A not too old offline backup of the client's accounting/ERP software made it possible to recover these vital applications back online. Although major work needed to be completed to recover completely from the Ryuk event, essential services were returned to operations quickly:


"For the most part, the production operation survived unscathed and we delivered all customer shipments."

During the following month critical milestones in the restoration project were completed in tight collaboration between Progent team members and the client:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Server exceeding 4 million historical messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were completely functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Most of the desktops and laptops were fully operational.

"So much of what went on that first week is mostly a blur for me, but our team will not soon forget the dedication all of the team accomplished to give us our business back. I have entrusted Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A likely company-ending catastrophe was avoided due to hard-working experts, a wide spectrum of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus penetration detailed here could have been blocked with advanced cyber security technology solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well designed security procedures for data backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got through the initial fire. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Minneapolis a portfolio of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to detect new variants of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including protection, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that helps you prove compliance with government and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup activities and enables rapid recovery of critical data, applications and virtual machines that have become lost or damaged due to hardware breakdowns, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can provide world-class expertise to configure ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, whenever needed, can help you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to deliver centralized control and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with a local gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of inspection for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are discovered. By automating complex management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that need critical software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management staff and your assigned Progent engineering consultant so that all looming problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save up to 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Minneapolis 24-Hour CryptoLocker Recovery Services, call Progent at 800-993-9400 or go to Contact Progent.