Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that poses an existential danger for businesses unprepared for an assault. Different versions of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still inflict damage. Recent variants of ransomware like Ryuk and Hermes, plus daily unnamed newcomers, not only encrypt online data files but also infect all configured system protection mechanisms. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render any restoration impossible and effectively sets the network back to zero.

Getting back online programs and data following a ransomware intrusion becomes a sprint against time as the victim struggles to stop lateral movement and cleanup the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware needs time to replicate, assaults are frequently launched on weekends and holidays, when successful penetrations may take more time to notice. This compounds the difficulty of promptly mobilizing and organizing a knowledgeable mitigation team.

Progent has a variety of support services for protecting organizations from ransomware events. These include user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with machine learning technology to quickly identify and suppress new threats. Progent in addition offers the services of expert ransomware recovery consultants with the skills and commitment to reconstruct a breached network as quickly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware event, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the codes to decipher all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the critical parts of your IT environment. Absent the availability of complete data backups, this requires a broad range of skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is over.

For two decades, Progent has offered expert Information Technology services for companies in Omaha and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise gives Progent the capability to rapidly understand necessary systems and integrate the surviving pieces of your computer network system following a crypto-ransomware event and configure them into an operational system.

Progent's recovery team of experts uses top notch project management tools to orchestrate the complicated restoration process. Progent understands the urgency of acting rapidly and in concert with a customerís management and IT staff to prioritize tasks and to put critical systems back online as soon as possible.

Business Case Study: A Successful Ransomware Incident Restoration
A customer hired Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored cybercriminals, suspected of using techniques exposed from Americaís National Security Agency. Ryuk seeks specific companies with little ability to sustain disruption and is among the most profitable versions of ransomware viruses. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago with around 500 workers. The Ryuk event had paralyzed all company operations and manufacturing processes. Most of the client's system backups had been on-line at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and praying for the best, but in the end made the decision to use Progent.


"I canít thank you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses survival. We would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you could get our e-mail and essential servers back in less than one week was amazing. Each staff member I interacted with or texted at Progent was absolutely committed on getting us back on-line and was working breakneck pace to bail us out."

Progent worked with the client to rapidly understand and prioritize the key areas that needed to be restored in order to resume departmental operations:

  • Windows Active Directory
  • Electronic Messaging
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the process of restoring Microsoft AD, the heart of enterprise networks built upon Microsoft technology. Exchange email will not operate without Active Directory, and the businessesí MRP system utilized Microsoft SQL Server, which requires Active Directory services for security authorization to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery on mission critical servers. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Offline Folder Files) on staff workstations and laptops to recover mail information. A not too old offline backup of the client's accounting systems made them able to restore these vital programs back servicing users. Although significant work still had to be done to recover totally from the Ryuk virus, core services were recovered quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer deliverables."

During the next few weeks key milestones in the recovery project were accomplished through close cooperation between Progent consultants and the client:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100% restored.
  • A new Palo Alto 850 firewall was deployed.
  • Ninety percent of the desktops and laptops were back into operation.

"Much of what occurred in the early hours is nearly entirely a blur for me, but our team will not forget the countless hours each and every one of your team put in to help get our company back. I have been working with Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This time was the most impressive ever."

Conclusion
A probable enterprise-killing catastrophe was dodged with results-oriented experts, a wide spectrum of subject matter expertise, and tight teamwork. Although in post mortem the crypto-ransomware virus penetration detailed here could have been prevented with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, user education, and well designed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for making it so I could get rested after we made it past the initial push. All of you did an amazing job, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Omaha a range of online monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services utilize modern AI capability to uncover new variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and provides a single platform to automate the complete threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates and monitors your backup activities and allows rapid recovery of critical data, applications and VMs that have become unavailable or damaged as a result of hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to restore your critical data. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to deliver web-based control and comprehensive security for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, optimize and debug their connectivity hardware like routers, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating devices that need critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your network operating at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT personnel and your assigned Progent consultant so that all looming problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to a different hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information about your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7 Omaha Crypto Remediation Services, call Progent at 800-993-9400 or go to Contact Progent.