Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict harm. More recent versions of crypto-ransomware like Ryuk and Hermes, as well as frequent as yet unnamed newcomers, not only encrypt online critical data but also infect all configured system backups. Data replicated to the cloud can also be rendered useless. In a poorly designed system, this can render automated recovery useless and basically knocks the network back to zero.

Getting back programs and information following a crypto-ransomware event becomes a sprint against time as the victim tries its best to contain the damage and clear the crypto-ransomware and to restore enterprise-critical operations. Since ransomware requires time to replicate, attacks are frequently sprung at night, when attacks may take more time to discover. This compounds the difficulty of rapidly assembling and organizing a qualified response team.

Progent has a variety of solutions for protecting organizations from crypto-ransomware events. Among these are user training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security gateways with machine learning capabilities to rapidly detect and suppress zero-day cyber attacks. Progent in addition can provide the assistance of veteran crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed codes to unencrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the mission-critical parts of your Information Technology environment. Without the availability of complete data backups, this requires a broad range of skill sets, professional team management, and the willingness to work 24x7 until the task is done.

For twenty years, Progent has offered certified expert Information Technology services for businesses in Lexington-Fayette and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise provides Progent the capability to efficiently determine important systems and organize the surviving parts of your network environment after a ransomware penetration and configure them into a functioning system.

Progent's recovery team of experts has powerful project management tools to orchestrate the sophisticated recovery process. Progent knows the importance of working quickly and in concert with a customerís management and IT staff to prioritize tasks and to get the most important applications back online as fast as possible.

Case Study: A Successful Crypto-Ransomware Attack Restoration
A customer contacted Progent after their network was brought down by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, suspected of adopting technology leaked from Americaís National Security Agency. Ryuk goes after specific organizations with limited tolerance for disruption and is among the most profitable instances of ransomware malware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago and has around 500 employees. The Ryuk penetration had shut down all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (in excess of $200K) and praying for the best, but in the end made the decision to use Progent.


"I canít speak enough in regards to the expertise Progent gave us during the most stressful time of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and important servers back online quicker than a week was beyond my wildest dreams. Every single person I got help from or communicated with at Progent was absolutely committed on getting us working again and was working all day and night on our behalf."

Progent worked together with the customer to quickly determine and assign priority to the most important applications that needed to be recovered in order to restart company functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To start, Progent followed ransomware penetration mitigation best practices by isolating and clearing infected systems. Progent then began the task of rebuilding Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the client's accounting and MRP applications utilized SQL Server, which needs Windows AD for authentication to the database.

In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery of the most important servers. All Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Off-Line Data Files) on staff PCs to recover email information. A not too old offline backup of the client's accounting/MRP systems made it possible to recover these required services back available to users. Although major work still had to be done to recover completely from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the assembly line operation never missed a beat and we made all customer sales."

Throughout the next couple of weeks key milestones in the recovery process were achieved in tight cooperation between Progent team members and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server with over four million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • 90% of the user PCs were fully operational.

"A huge amount of what happened in the early hours is nearly entirely a blur for me, but our team will not forget the commitment each of you accomplished to give us our company back. I have utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely business-ending catastrophe was dodged due to hard-working experts, a broad array of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware incident detailed here should have been shut down with modern cyber security solutions and best practices, user education, and well thought out incident response procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for letting me get some sleep after we got past the first week. All of you did an incredible effort, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Lexington-Fayette a range of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence technology to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the entire malware attack lifecycle including blocking, detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that addresses your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of critical data, apps and VMs that have become unavailable or damaged due to hardware failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can deliver advanced support to configure ProSight DPS to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to deliver web-based control and world-class security for your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further level of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map out, track, reconfigure and debug their networking appliances such as routers, firewalls, and access points plus servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding devices that require critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management staff and your assigned Progent consultant so all looming issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can eliminate as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7 Lexington-Fayette Crypto-Ransomware Remediation Help, call Progent at 800-993-9400 or go to Contact Progent.