Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that poses an extinction-level threat for organizations vulnerable to an attack. Multiple generations of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent unnamed newcomers, not only do encryption of on-line files but also infiltrate most available system backups. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, it can make automatic recovery hopeless and effectively sets the datacenter back to zero.

Getting back on-line programs and information after a ransomware attack becomes a sprint against time as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to restore mission-critical operations. Since crypto-ransomware takes time to move laterally, attacks are usually sprung during weekends and nights, when attacks may take longer to uncover. This multiplies the difficulty of promptly assembling and coordinating a qualified mitigation team.

Progent offers a variety of help services for securing enterprises from ransomware attacks. Among these are team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence capabilities to automatically detect and disable new threats. Progent also can provide the services of veteran ransomware recovery professionals with the talent and perseverance to restore a breached system as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to decrypt all your information. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the vital elements of your IT environment. Without the availability of full data backups, this calls for a broad range of skills, professional team management, and the willingness to work 24x7 until the recovery project is over.

For two decades, Progent has offered professional Information Technology services for companies in Albuquerque and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of experience affords Progent the capability to rapidly identify critical systems and organize the remaining components of your Information Technology environment following a ransomware event and assemble them into a functioning network.

Progent's recovery group uses state-of-the-art project management systems to orchestrate the complex recovery process. Progent appreciates the importance of working swiftly and in unison with a client's management and IT team members to assign priority to tasks and to get the most important systems back on line as fast as possible.

Client Story: A Successful Crypto-Ransomware Virus Response
A business hired Progent after their network was penetrated by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state sponsored hackers, suspected of adopting technology exposed from the United States National Security Agency. Ryuk goes after specific companies with little room for operational disruption and is one of the most lucrative examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end engaged Progent.


"I cannot speak enough in regards to the help Progent gave us during the most stressful time of (our) companyís survival. We would have paid the criminal gangs except for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and production applications back on-line in less than five days was something I thought impossible. Every single consultant I talked with or texted at Progent was totally committed on getting us back online and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly assess and prioritize the essential applications that had to be restored to make it possible to resume departmental operations:

  • Active Directory
  • Email
  • MRP System
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by isolating and clearing up compromised systems. Progent then began the work of restoring Microsoft AD, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not operate without Active Directory, and the businessesí MRP software used SQL Server, which depends on Active Directory services for security authorization to the database.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then helped perform rebuilding and storage recovery of essential systems. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations in order to recover mail data. A recent offline backup of the client's accounting/MRP systems made it possible to return these vital services back available to users. Although a lot of work remained to recover totally from the Ryuk damage, critical systems were returned to operations rapidly:


"For the most part, the manufacturing operation was never shut down and we delivered all customer sales."

During the next couple of weeks important milestones in the recovery project were completed in close cooperation between Progent engineers and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Exchange Server exceeding four million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely recovered.
  • A new Palo Alto Networks 850 firewall was set up.
  • 90% of the desktops and laptops were back into operation.

"So much of what transpired in the initial days is nearly entirely a fog for me, but my team will not forget the dedication all of your team put in to give us our company back. Iíve been working with Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A potential business catastrophe was avoided by hard-working professionals, a broad range of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware virus attack detailed here should have been identified and stopped with up-to-date security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), Iím grateful for making it so I could get some sleep after we got over the initial fire. All of you did an incredible job, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Albuquerque a portfolio of remote monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services utilize modern machine learning capability to uncover new variants of crypto-ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete threat lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup processes and enables fast restoration of critical data, apps and virtual machines that have become unavailable or corrupted as a result of component failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver advanced support to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to restore your critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security companies to provide web-based management and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, monitor, enhance and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating time-consuming management activities, WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding devices that require critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT personnel and your Progent consultant so that any potential issues can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24-7 Albuquerque Crypto-Ransomware Repair Consulting, call Progent at 800-993-9400 or go to Contact Progent.