Ransomware Prevention and Remediation Solutions

Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyberplague that presents an existential danger for organizations poorly prepared for an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus frequent as yet unnamed newcomers, not only encrypt on-line information but also infect most available system backup. Files synchronized to the cloud can also be corrupted. In a vulnerable system, it can render any restoration useless and basically sets the entire system back to square one.

Restoring programs and information following a ransomware intrusion becomes a race against time as the targeted organization tries its best to stop the spread and remove the ransomware and to resume enterprise-critical operations. Because ransomware needs time to replicate, assaults are usually sprung during nights and weekends, when successful penetrations are likely to take more time to identify. This compounds the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.

Progent provides a variety of solutions for protecting enterprises from crypto-ransomware events. Among these are user education to help identify and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat defense to detect and quarantine day-zero malware attacks. Progent also provides the assistance of experienced ransomware recovery professionals with the track record and commitment to reconstruct a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed keys to unencrypt any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to re-install the essential elements of your Information Technology environment. Without access to complete information backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work non-stop until the recovery project is over.

For twenty years, Progent has made available expert Information Technology services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise provides Progent the skills to efficiently determine necessary systems and re-organize the surviving components of your network environment after a ransomware attack and assemble them into an operational system.

Progent's security group utilizes top notch project management applications to coordinate the complicated restoration process. Progent knows the urgency of working swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to put key services back online as soon as possible.

Case Study: A Successful Ransomware Virus Response
A customer contacted Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk targets specific organizations with limited ability to sustain disruption and is among the most lucrative instances of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has around 500 workers. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200,000) and praying for the best, but ultimately called Progent.

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the key services that had to be addressed in order to continue departmental functions:

• Microsoft Active Directory
• Microsoft Exchange
• Accounting/MRP

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then performed setup and storage recovery of critical systems. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to locate local OST data files (Outlook Offline Data Files) on team PCs and laptops in order to recover mail information. A recent off-line backup of the customer's accounting software made it possible to return these required programs back on-line. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were restored quickly:

Over the next month key milestones in the restoration project were accomplished in close cooperation between Progent engineers and the client:

• Internal web applications were restored with no loss of information.
• The MailStore Server containing more than four million historical messages was brought online and available for users.
• CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely operational.
• A new Palo Alto 850 firewall was installed and configured.
• Most of the user desktops were operational.

Conclusion
A possible business catastrophe was averted through the efforts of results-oriented professionals, a broad spectrum of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware penetration described here would have been identified and blocked with modern cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and properly executed security procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and file recovery.

Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Crypto-Ransomware Removal Expertise
For 24/7 crypto-ransomware recovery services, call Progent at 800-462-8800 or go to Contact Progent.