Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that poses an existential threat for businesses poorly prepared for an assault. Versions of ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus more unnamed malware, not only do encryption of on-line data files but also infect any available system protection mechanisms. Files synchronized to the cloud can also be corrupted. In a poorly designed system, it can render automated recovery impossible and basically knocks the datacenter back to zero.

Retrieving programs and information following a ransomware intrusion becomes a race against time as the targeted organization struggles to stop lateral movement and remove the virus and to resume enterprise-critical operations. Due to the fact that ransomware needs time to move laterally, penetrations are usually launched during nights and weekends, when successful attacks in many cases take more time to notice. This compounds the difficulty of promptly marshalling and orchestrating a qualified mitigation team.

Progent offers a variety of solutions for securing enterprises from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security appliances with artificial intelligence technology to quickly identify and suppress new cyber attacks. Progent also provides the services of veteran crypto-ransomware recovery consultants with the track record and commitment to restore a breached network as soon as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt any of your data. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the key parts of your Information Technology environment. Absent the availability of full information backups, this calls for a wide complement of skill sets, well-coordinated project management, and the ability to work 24x7 until the task is finished.

For twenty years, Progent has provided expert IT services for businesses in Edison and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience provides Progent the capability to quickly identify necessary systems and organize the remaining parts of your network environment following a ransomware event and configure them into a functioning system.

Progent's ransomware team deploys best of breed project management tools to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and in unison with a customerís management and IT team members to assign priority to tasks and to get key services back on-line as fast as possible.

Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business engaged Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state hackers, suspected of using approaches exposed from the United States National Security Agency. Ryuk goes after specific organizations with little tolerance for operational disruption and is one of the most lucrative versions of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with around 500 workers. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end engaged Progent.


"I canít speak enough in regards to the help Progent provided us throughout the most stressful period of (our) businesses life. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team provided us. That you were able to get our e-mail system and critical applications back online faster than five days was incredible. Each staff member I interacted with or messaged at Progent was urgently focused on getting us working again and was working 24/7 to bail us out."

Progent worked together with the client to quickly determine and prioritize the critical areas that needed to be restored in order to restart company functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping lateral movement and clearing infected systems. Progent then began the task of restoring Microsoft AD, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businessesí financials and MRP software used Microsoft SQL, which depends on Windows AD for access to the database.

Within two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery on key applications. All Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Off-Line Folder Files) on various workstations in order to recover email messages. A recent off-line backup of the businesses accounting/ERP systems made it possible to recover these vital services back online for users. Although a large amount of work remained to recover totally from the Ryuk damage, the most important services were recovered rapidly:


"For the most part, the production operation survived unscathed and we made all customer sales."

During the next few weeks critical milestones in the recovery process were achieved in tight cooperation between Progent team members and the customer:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million archived messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were fully recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the desktops and laptops were functioning as before the incident.

"So much of what occurred those first few days is nearly entirely a haze for me, but I will not soon forget the commitment each of the team put in to help get our business back. Iíve utilized Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable company-ending catastrophe was evaded through the efforts of top-tier professionals, a broad range of IT skills, and tight teamwork. Although in retrospect the ransomware incident detailed here should have been shut down with modern security solutions and ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for information backup and proper patching controls, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), Iím grateful for allowing me to get some sleep after we got past the initial fire. Everyone did an fabulous job, and if anyone is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Edison a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services include next-generation AI capability to uncover zero-day variants of crypto-ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a unified platform to automate the complete malware attack lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your company's unique needs and that helps you prove compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate attention. Progent's consultants can also assist your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates and monitors your backup activities and allows fast restoration of critical files, applications and VMs that have become lost or damaged due to component breakdowns, software bugs, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to provide centralized control and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance provides a further level of analysis for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, enhance and troubleshoot their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating complex management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that need important software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so all looming problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and organizing your network documentation, you can save up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Edison 24/7 Crypto Cleanup Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.