Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an existential danger for businesses unprepared for an attack. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more as yet unnamed malware, not only do encryption of on-line information but also infiltrate most configured system protection mechanisms. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, this can render automated recovery impossible and effectively sets the datacenter back to zero.

Getting back on-line programs and data following a crypto-ransomware outage becomes a sprint against time as the targeted organization tries its best to contain and cleanup the virus and to restore business-critical activity. Because ransomware requires time to replicate, attacks are frequently launched on weekends, when successful penetrations tend to take longer to uncover. This multiplies the difficulty of quickly assembling and coordinating a qualified mitigation team.

Progent makes available a range of help services for securing businesses from crypto-ransomware penetrations. These include team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with machine learning capabilities to rapidly discover and extinguish zero-day threats. Progent in addition provides the assistance of seasoned ransomware recovery engineers with the skills and perseverance to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, sending the ransom in cryptocurrency does not guarantee that cyber hackers will respond with the keys to unencrypt any of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the key elements of your IT environment. Without access to full system backups, this requires a wide complement of skills, professional team management, and the ability to work non-stop until the job is completed.

For two decades, Progent has provided professional Information Technology services for companies in Kansas City and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience provides Progent the capability to knowledgably understand necessary systems and integrate the surviving pieces of your computer network environment after a crypto-ransomware attack and configure them into a functioning network.

Progent's recovery group has top notch project management applications to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to put critical applications back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Attack Restoration
A business hired Progent after their network was attacked by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state cybercriminals, possibly using approaches exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no room for operational disruption and is one of the most profitable examples of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 employees. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200,000) and hoping for good luck, but in the end brought in Progent.


"I cannot speak enough in regards to the care Progent provided us during the most critical time of (our) companyís survival. We most likely would have paid the Hackers if not for the confidence the Progent experts afforded us. The fact that you could get our messaging and key servers back online in less than five days was amazing. Each expert I worked with or communicated with at Progent was urgently focused on getting our company operational and was working all day and night to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the most important elements that needed to be addressed to make it possible to resume company functions:

  • Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the task of bringing back online Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Windows AD, and the client's MRP applications leveraged SQL Server, which needs Active Directory services for authentication to the information.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-penetration state. Progent then initiated setup and hard drive recovery of mission critical servers. All Exchange data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Data Files) on user PCs in order to recover mail messages. A not too old offline backup of the customerís financials/ERP software made them able to restore these essential programs back online. Although a lot of work remained to recover totally from the Ryuk attack, the most important services were recovered quickly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer shipments."

Over the following month key milestones in the recovery process were achieved through tight cooperation between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Exchange Server containing more than four million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the user PCs were being used by staff.

"Much of what went on during the initial response is nearly entirely a haze for me, but we will not soon forget the countless hours each and every one of your team accomplished to help get our business back. Iíve been working with Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A probable business-ending catastrophe was avoided due to dedicated professionals, a wide range of IT skills, and close teamwork. Although in retrospect the ransomware virus incident detailed here should have been identified and prevented with advanced security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thank you for allowing me to get rested after we made it through the most critical parts. All of you did an incredible job, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Kansas City a portfolio of remote monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to uncover zero-day strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to address the complete threat lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also assist your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical files, apps and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR specialists can provide world-class support to set up ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security companies to provide web-based management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to diagram, track, enhance and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding appliances that require critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management personnel and your Progent consultant so all looming issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can save as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Kansas City 24-7 CryptoLocker Remediation Help, contact Progent at 800-993-9400 or go to Contact Progent.