Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an assault. Different versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still cause havoc. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, plus daily unnamed newcomers, not only encrypt online information but also infiltrate most available system restores and backups. Information synched to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, this can render automatic restoration impossible and effectively knocks the entire system back to square one.

Recovering services and data after a crypto-ransomware outage becomes a race against time as the targeted business fights to contain and cleanup the virus and to restore business-critical activity. Because ransomware needs time to move laterally, attacks are usually launched during nights and weekends, when penetrations typically take more time to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a qualified response team.

Progent provides an assortment of help services for securing businesses from ransomware penetrations. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with AI capabilities to rapidly identify and suppress day-zero threats. Progent in addition offers the assistance of seasoned ransomware recovery consultants with the skills and commitment to restore a compromised network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware event, sending the ransom in cryptocurrency does not ensure that distant criminals will respond with the codes to decipher any of your files. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the key elements of your IT environment. Without the availability of essential information backups, this calls for a broad range of skill sets, top notch team management, and the willingness to work non-stop until the job is completed.

For twenty years, Progent has offered professional Information Technology services for companies in Lynnwood and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise affords Progent the skills to rapidly ascertain important systems and integrate the remaining pieces of your network environment after a crypto-ransomware attack and rebuild them into an operational system.

Progent's recovery team uses top notch project management tools to coordinate the complicated recovery process. Progent appreciates the importance of working rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to put key services back on line as soon as possible.

Client Story: A Successful Ransomware Penetration Restoration
A business contacted Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, suspected of using techniques exposed from Americaís NSA organization. Ryuk goes after specific businesses with little or no ability to sustain disruption and is among the most lucrative iterations of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago with around 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. The majority of the client's information backups had been online at the time of the attack and were damaged. The client considered paying the ransom (more than $200,000) and hoping for the best, but ultimately called Progent.


"I cannot speak enough about the expertise Progent gave us during the most critical time of (our) businesses survival. We most likely would have paid the Hackers if not for the confidence the Progent group gave us. That you could get our messaging and critical applications back in less than five days was beyond my wildest dreams. Every single person I worked with or e-mailed at Progent was absolutely committed on getting us restored and was working 24 by 7 on our behalf."

Progent worked together with the customer to rapidly identify and prioritize the most important areas that needed to be recovered to make it possible to restart business functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • Financials/MRP
To start, Progent followed Anti-virus event response industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the work of recovering Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the customerís financials and MRP software used Microsoft SQL Server, which needs Windows AD for authentication to the information.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery of needed applications. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Email Off-Line Data Files) on team desktop computers and laptops to recover email data. A recent offline backup of the businesses manufacturing systems made them able to recover these required applications back online. Although major work was left to recover fully from the Ryuk attack, core systems were restored rapidly:


"For the most part, the production operation ran fairly normal throughout and we produced all customer sales."

Throughout the following few weeks critical milestones in the recovery process were achieved through close cooperation between Progent engineers and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were completely restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • 90% of the user workstations were fully operational.

"A lot of what was accomplished that first week is nearly entirely a fog for me, but my management will not forget the dedication each and every one of the team accomplished to help get our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business disaster was evaded by top-tier professionals, a wide array of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus incident described here would have been identified and prevented with up-to-date cyber security solutions and recognized best practices, user training, and well thought out security procedures for data protection and applying software patches, the fact is that government-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we got over the initial fire. All of you did an amazing job, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Lynnwood a portfolio of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services include modern AI technology to detect zero-day strains of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to automate the complete threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you prove compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent's consultants can also help you to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates your backup activities and enables rapid restoration of vital files, applications and VMs that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security vendors to provide web-based control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of inspection for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, enhance and troubleshoot their connectivity appliances like routers, firewalls, and load balancers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept updated, captures and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that need important software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system operating efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT staff and your Progent consultant so that all potential problems can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time spent searching for vital information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.
For Lynnwood 24-7 Crypto Recovery Consulting, call Progent at 800-993-9400 or go to Contact Progent.