Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Different versions of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. More recent variants of ransomware such as Ryuk and Hermes, as well as daily as yet unnamed viruses, not only do encryption of online data files but also infect most configured system restores and backups. Information synchronized to cloud environments can also be encrypted. In a poorly designed environment, it can make automatic restoration useless and effectively knocks the network back to square one.

Getting back online services and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to stop lateral movement and clear the ransomware and to resume mission-critical operations. Since ransomware requires time to move laterally, attacks are often launched during weekends and nights, when successful penetrations in many cases take longer to uncover. This compounds the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.

Progent offers an assortment of support services for securing enterprises from crypto-ransomware events. Among these are team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security appliances with AI capabilities to rapidly detect and quarantine zero-day cyber attacks. Progent also provides the services of expert ransomware recovery engineers with the track record and perseverance to reconstruct a breached network as quickly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decipher any of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the key parts of your Information Technology environment. Without access to essential system backups, this requires a wide range of skill sets, top notch team management, and the capability to work 24x7 until the task is done.

For two decades, Progent has made available expert Information Technology services for businesses in Irving and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise gives Progent the capability to rapidly identify necessary systems and re-organize the remaining components of your computer network system following a ransomware attack and assemble them into a functioning system.

Progent's security group utilizes best of breed project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of acting rapidly and in concert with a customerís management and IT staff to prioritize tasks and to put key systems back on line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Incident Response
A client engaged Progent after their network was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state cybercriminals, possibly using algorithms leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little ability to sustain disruption and is among the most profitable versions of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk event had shut down all company operations and manufacturing processes. The majority of the client's information backups had been online at the start of the attack and were destroyed. The client considered paying the ransom (in excess of $200K) and praying for good luck, but ultimately called Progent.


"I cannot speak enough about the care Progent gave us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent team afforded us. The fact that you could get our e-mail system and important applications back into operation quicker than seven days was amazing. Every single person I worked with or communicated with at Progent was absolutely committed on getting our system up and was working 24/7 to bail us out."

Progent worked with the customer to rapidly identify and assign priority to the key systems that needed to be restored to make it possible to resume business operations:

  • Active Directory
  • Exchange Server
  • MRP System
To begin, Progent followed ransomware penetration mitigation industry best practices by isolating and cleaning systems of viruses. Progent then started the process of recovering Windows Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the customerís MRP applications used Microsoft SQL Server, which requires Active Directory services for access to the databases.

Within 2 days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery of key servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find local OST files (Microsoft Outlook Off-Line Folder Files) on various workstations to recover mail information. A not too old offline backup of the customerís accounting software made them able to recover these required services back available to users. Although significant work needed to be completed to recover fully from the Ryuk virus, the most important systems were recovered rapidly:


"For the most part, the production operation was never shut down and we made all customer shipments."

Throughout the next couple of weeks important milestones in the recovery process were accomplished in tight collaboration between Progent team members and the customer:

  • In-house web sites were restored with no loss of information.
  • The MailStore Exchange Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were 100% functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the user PCs were operational.

"A huge amount of what happened in the initial days is nearly entirely a blur for me, but our team will not soon forget the dedication all of the team put in to give us our company back. I have trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A likely enterprise-killing disaster was avoided with hard-working experts, a wide spectrum of IT skills, and tight teamwork. Although upon completion of forensics the ransomware incident detailed here could have been blocked with current cyber security technology and security best practices, staff training, and appropriate incident response procedures for backup and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for allowing me to get some sleep after we made it past the initial fire. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Irving a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence technology to uncover new strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also help your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight DPS automates your backup activities and allows rapid recovery of vital files, apps and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR specialists can provide world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide web-based management and comprehensive protection for all your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of analysis for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, optimize and troubleshoot their networking hardware like routers and switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that require critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system operating at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management staff and your Progent consultant so that any potential problems can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By updating and managing your IT documentation, you can save up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7 Irving Crypto Recovery Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.