Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that presents an existential threat for businesses unprepared for an assault. Different versions of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict harm. Recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, along with more as yet unnamed newcomers, not only encrypt online information but also infiltrate all available system protection. Data synchronized to cloud environments can also be ransomed. In a poorly architected system, it can render automatic restoration hopeless and basically knocks the network back to square one.

Getting back online programs and data after a crypto-ransomware outage becomes a sprint against the clock as the victim tries its best to contain and cleanup the ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware requires time to move laterally, assaults are frequently launched during nights and weekends, when successful penetrations in many cases take longer to uncover. This compounds the difficulty of rapidly assembling and coordinating a capable mitigation team.

Progent provides an assortment of services for protecting organizations from ransomware penetrations. These include team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence capabilities to intelligently discover and extinguish zero-day threats. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the talent and commitment to reconstruct a compromised system as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to unencrypt any or all of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the critical elements of your IT environment. Absent the availability of complete system backups, this requires a wide range of IT skills, professional project management, and the willingness to work non-stop until the recovery project is complete.

For twenty years, Progent has offered certified expert IT services for businesses in Cincinnati and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained top industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise gives Progent the capability to knowledgably identify necessary systems and organize the remaining components of your Information Technology environment following a ransomware penetration and rebuild them into an operational network.

Progent's security group utilizes state-of-the-art project management systems to orchestrate the complex recovery process. Progent appreciates the importance of acting rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get key services back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Virus Recovery
A business sought out Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state hackers, possibly adopting approaches exposed from the United States National Security Agency. Ryuk goes after specific companies with little tolerance for operational disruption and is among the most lucrative incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has around 500 employees. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (more than $200,000) and praying for the best, but in the end brought in Progent.


"I cannot thank you enough about the care Progent provided us during the most critical time of (our) businesses survival. We may have had to pay the criminal gangs except for the confidence the Progent team afforded us. That you were able to get our e-mail system and key servers back online faster than 1 week was earth shattering. Each consultant I got help from or communicated with at Progent was hell bent on getting us restored and was working 24/7 to bail us out."

Progent worked hand in hand the customer to quickly determine and prioritize the mission critical services that had to be addressed to make it possible to restart business functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting/MRP
To start, Progent adhered to ransomware penetration response best practices by stopping the spread and removing active viruses. Progent then initiated the steps of restoring Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Windows AD, and the client's accounting and MRP applications used Microsoft SQL Server, which needs Windows AD for access to the information.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Off-Line Data Files) on staff desktop computers and laptops to recover email data. A not too old off-line backup of the customerís financials/MRP software made it possible to return these required applications back online for users. Although a lot of work needed to be completed to recover totally from the Ryuk damage, critical services were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we did not miss any customer sales."

During the following month critical milestones in the restoration process were accomplished through tight cooperation between Progent engineers and the client:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Server containing more than 4 million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were fully restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the user desktops and notebooks were fully operational.

"A lot of what transpired in the early hours is nearly entirely a haze for me, but we will not soon forget the dedication all of you put in to give us our company back. Iíve been working with Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible company-ending catastrophe was evaded with results-oriented professionals, a wide array of IT skills, and tight collaboration. Although in hindsight the ransomware virus penetration described here would have been identified and stopped with modern cyber security solutions and ISO/IEC 27001 best practices, staff education, and properly executed security procedures for backup and proper patching controls, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for letting me get some sleep after we made it over the initial fire. All of you did an fabulous job, and if any of your guys is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Cincinnati a range of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include next-generation AI technology to detect zero-day variants of crypto-ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely escape legacy signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to automate the complete threat progression including protection, identification, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry information security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent attention. Progent can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital data, apps and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to provide centralized control and comprehensive protection for your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of analysis for inbound email. For outgoing email, the local security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, enhance and troubleshoot their networking appliances such as routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating devices that need critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network running at peak levels by tracking the state of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT management staff and your assigned Progent consultant so that any potential problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour Cincinnati Crypto Recovery Services, reach out to Progent at 800-993-9400 or go to Contact Progent.