Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that poses an extinction-level threat for businesses of all sizes vulnerable to an assault. Different versions of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as frequent as yet unnamed newcomers, not only encrypt online data files but also infect most available system backup. Data synched to off-site disaster recovery sites can also be encrypted. In a vulnerable system, it can render automatic restoration hopeless and effectively sets the datacenter back to square one.

Restoring applications and data following a ransomware intrusion becomes a race against the clock as the targeted business fights to stop lateral movement and remove the virus and to resume business-critical operations. Because ransomware needs time to move laterally, attacks are frequently launched during weekends and nights, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing a capable mitigation team.

Progent makes available a range of help services for protecting businesses from ransomware attacks. These include team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with AI capabilities to quickly discover and disable day-zero threats. Progent also offers the services of experienced ransomware recovery professionals with the track record and perseverance to re-deploy a breached environment as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed keys to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the essential elements of your Information Technology environment. Without the availability of full information backups, this calls for a wide range of IT skills, professional project management, and the capability to work continuously until the task is done.

For two decades, Progent has provided certified expert IT services for businesses in Indianapolis and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience affords Progent the capability to knowledgably identify critical systems and integrate the remaining pieces of your computer network system following a crypto-ransomware attack and assemble them into an operational network.

Progent's ransomware team of experts uses top notch project management systems to coordinate the complicated restoration process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get the most important services back online as fast as possible.

Business Case Study: A Successful Ransomware Virus Response
A customer hired Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, suspected of using technology leaked from the U.S. NSA organization. Ryuk goes after specific businesses with limited tolerance for disruption and is one of the most lucrative examples of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has about 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the attack and were encrypted. The client considered paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately utilized Progent.


"I cannot speak enough in regards to the help Progent provided us during the most fearful period of (our) businesses life. We most likely would have paid the cybercriminals if not for the confidence the Progent experts gave us. That you could get our e-mail system and production servers back into operation sooner than seven days was something I thought impossible. Each consultant I got help from or e-mailed at Progent was laser focused on getting us restored and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to rapidly assess and assign priority to the most important elements that had to be restored in order to continue company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent adhered to Anti-virus penetration response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the steps of rebuilding Microsoft AD, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the businessesí financials and MRP applications leveraged SQL Server, which depends on Windows AD for authentication to the data.

In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then charged ahead with rebuilding and storage recovery on mission critical systems. All Exchange ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Offline Data Files) on user desktop computers in order to recover email information. A recent offline backup of the businesses accounting/ERP software made it possible to restore these required applications back online. Although major work remained to recover fully from the Ryuk event, critical systems were recovered rapidly:


"For the most part, the production manufacturing operation was never shut down and we did not miss any customer orders."

During the following month critical milestones in the restoration process were made through close collaboration between Progent engineers and the customer:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Exchange Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were completely recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Most of the desktops and laptops were being used by staff.

"Much of what happened in the initial days is nearly entirely a blur for me, but my management will not soon forget the dedication each of your team accomplished to help get our business back. I have utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A potential business extinction catastrophe was avoided by dedicated professionals, a wide array of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware virus penetration detailed here would have been shut down with current cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for data backup and applying software patches, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, removal, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we got over the initial fire. Everyone did an impressive effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Indianapolis a variety of remote monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover new variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. Available at a low monthly price, ProSight DPS automates your backup processes and allows rapid recovery of critical data, apps and VMs that have become unavailable or corrupted as a result of component breakdowns, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced support to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can help you to recover your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security vendors to provide web-based control and world-class protection for your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of inspection for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their networking hardware like routers, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, locating devices that require important updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT staff and your Progent consultant so any potential problems can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can save as much as half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about ProSight IT Asset Management service.
For Indianapolis 24x7x365 Ransomware Removal Consultants, contact Progent at 800-993-9400 or go to Contact Progent.