Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses vulnerable to an attack. Versions of crypto-ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as additional unnamed newcomers, not only do encryption of online data files but also infiltrate most available system restores and backups. Files synchronized to the cloud can also be rendered useless. In a vulnerable system, it can render any restore operations hopeless and basically sets the entire system back to zero.

Getting back online applications and data following a crypto-ransomware intrusion becomes a race against time as the targeted business tries its best to contain and remove the virus and to resume enterprise-critical operations. Due to the fact that ransomware needs time to spread, assaults are usually sprung on weekends, when successful penetrations in many cases take longer to discover. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent provides an assortment of solutions for protecting enterprises from crypto-ransomware attacks. These include staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with machine learning capabilities to automatically discover and quarantine zero-day cyber attacks. Progent in addition provides the services of expert ransomware recovery consultants with the track record and perseverance to reconstruct a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt any or all of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the mission-critical elements of your Information Technology environment. Absent access to full data backups, this calls for a wide range of skill sets, professional project management, and the ability to work continuously until the task is finished.

For two decades, Progent has offered certified expert Information Technology services for companies in Plano and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise provides Progent the skills to knowledgably understand critical systems and consolidate the surviving components of your network system following a ransomware event and assemble them into an operational network.

Progent's security group has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent knows the importance of working quickly and together with a client's management and Information Technology team members to prioritize tasks and to get the most important services back on-line as soon as possible.

Case Study: A Successful Crypto-Ransomware Incident Recovery
A client escalated to Progent after their network was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly adopting approaches leaked from the U.S. NSA organization. Ryuk targets specific businesses with little ability to sustain disruption and is among the most lucrative versions of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area with around 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot say enough about the expertise Progent provided us throughout the most critical period of (our) businesses existence. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent group afforded us. The fact that you were able to get our messaging and essential applications back online quicker than 1 week was incredible. Every single expert I spoke to or e-mailed at Progent was absolutely committed on getting our company operational and was working at all hours to bail us out."

Progent worked together with the client to quickly understand and prioritize the critical elements that had to be restored to make it possible to restart company functions:

  • Active Directory (AD)
  • E-Mail
  • Financials/MRP
To begin, Progent adhered to ransomware event response industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the task of rebuilding Windows Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Exchange email will not operate without AD, and the customerís financials and MRP applications used SQL Server, which depends on Active Directory services for security authorization to the data.

Within 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery on critical applications. All Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops to recover mail data. A recent offline backup of the businesses accounting systems made them able to restore these vital programs back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, the most important services were recovered quickly:


"For the most part, the assembly line operation survived unscathed and we made all customer shipments."

Throughout the following month important milestones in the restoration process were achieved through close cooperation between Progent team members and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely recovered.
  • A new Palo Alto 850 firewall was set up.
  • Most of the user PCs were back into operation.

"So much of what occurred those first few days is mostly a fog for me, but we will not soon forget the countless hours each of the team accomplished to help get our business back. Iíve been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This event was a stunning achievement."

Conclusion
A likely company-ending catastrophe was evaded by hard-working experts, a wide array of technical expertise, and tight teamwork. Although in retrospect the ransomware incident described here would have been identified and prevented with current security technology solutions and NIST Cybersecurity Framework best practices, staff education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thanks very much for making it so I could get some sleep after we made it past the first week. Everyone did an amazing effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Plano a variety of online monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern AI technology to uncover zero-day variants of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including protection, identification, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent's consultants can also help you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates your backup activities and enables rapid restoration of vital files, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver advanced support to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to provide centralized control and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, enhance and troubleshoot their networking hardware such as routers, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are detected. By automating tedious network management activities, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding devices that need important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can save as much as 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24x7x365 Plano Ransomware Remediation Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.