Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that poses an existential threat for businesses poorly prepared for an assault. Versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and still cause damage. Recent strains of crypto-ransomware such as Ryuk and Hermes, along with more unnamed malware, not only encrypt on-line critical data but also infect any accessible system backup. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected system, this can make any restoration useless and basically sets the network back to zero.

Retrieving programs and information following a ransomware outage becomes a sprint against the clock as the targeted business fights to contain and eradicate the ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to spread, attacks are usually launched on weekends and holidays, when successful attacks typically take more time to recognize. This compounds the difficulty of rapidly assembling and coordinating an experienced mitigation team.

Progent makes available a range of support services for securing enterprises from crypto-ransomware penetrations. These include team training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with artificial intelligence capabilities to quickly identify and suppress new cyber attacks. Progent also can provide the services of veteran ransomware recovery consultants with the talent and perseverance to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to unencrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the essential elements of your IT environment. Without access to full data backups, this requires a broad range of skills, well-coordinated project management, and the capability to work non-stop until the job is over.

For decades, Progent has provided certified expert Information Technology services for businesses in Centennial and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise affords Progent the skills to efficiently identify necessary systems and integrate the remaining components of your network environment after a ransomware attack and rebuild them into an operational system.

Progent's recovery team uses state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the urgency of working rapidly and in unison with a customerís management and IT team members to prioritize tasks and to put the most important applications back online as soon as humanly possible.

Client Story: A Successful Ransomware Attack Response
A business engaged Progent after their organization was penetrated by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored cybercriminals, possibly using approaches leaked from the U.S. NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is one of the most profitable examples of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the start of the attack and were damaged. The client considered paying the ransom demand (more than $200K) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot say enough in regards to the care Progent provided us throughout the most critical period of (our) companyís survival. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent team provided us. The fact that you could get our messaging and critical servers back on-line quicker than one week was earth shattering. Every single staff member I interacted with or e-mailed at Progent was laser focused on getting us operational and was working day and night to bail us out."

Progent worked with the customer to quickly assess and assign priority to the essential systems that needed to be recovered to make it possible to restart company functions:

  • Active Directory (AD)
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes event mitigation best practices by stopping the spread and clearing infected systems. Progent then initiated the work of restoring Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange email will not work without Active Directory, and the client's financials and MRP applications leveraged Microsoft SQL, which requires Active Directory for security authorization to the data.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-penetration state. Progent then charged ahead with setup and storage recovery of essential applications. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Offline Folder Files) on user desktop computers in order to recover mail information. A recent off-line backup of the customerís financials/MRP software made it possible to return these essential applications back servicing users. Although major work needed to be completed to recover completely from the Ryuk event, the most important services were recovered quickly:


"For the most part, the production operation did not miss a beat and we made all customer sales."

Over the next few weeks important milestones in the recovery project were made in close cooperation between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/AP/AR/Inventory Control modules were 100% operational.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the user PCs were functioning as before the incident.

"A huge amount of what happened in the early hours is mostly a blur for me, but my management will not soon forget the care each of you put in to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A likely business-killing disaster was averted with hard-working professionals, a wide spectrum of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware virus penetration detailed here could have been blocked with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for information protection and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we got over the initial fire. All of you did an impressive effort, and if any of your team is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Centennial a portfolio of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate next-generation machine learning technology to detect zero-day variants of crypto-ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily evade legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to automate the entire threat lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery. Available at a low monthly price, ProSight DPS automates your backup processes and enables rapid recovery of critical files, apps and virtual machines that have become unavailable or damaged as a result of component breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver advanced support to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can help you to restore your business-critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to provide centralized management and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further level of analysis for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that require important software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management staff and your Progent consultant so any potential problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to a different hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
For 24-7 Centennial Crypto-Ransomware Recovery Support Services, call Progent at 800-993-9400 or go to Contact Progent.