Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for organizations poorly prepared for an attack. Different versions of ransomware like the Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict damage. Recent versions of ransomware such as Ryuk and Hermes, as well as daily as yet unnamed malware, not only encrypt on-line critical data but also infect all configured system protection mechanisms. Information synchronized to the cloud can also be ransomed. In a vulnerable environment, this can make automatic recovery hopeless and effectively knocks the datacenter back to zero.

Recovering services and information following a crypto-ransomware event becomes a race against time as the targeted business struggles to contain the damage and cleanup the ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, assaults are often launched on weekends and holidays, when successful attacks typically take longer to discover. This multiplies the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent provides a variety of services for protecting businesses from ransomware penetrations. These include staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence technology to automatically discover and suppress day-zero threats. Progent also can provide the services of veteran ransomware recovery professionals with the talent and perseverance to restore a compromised network as soon as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed keys to unencrypt any or all of your information. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the critical parts of your Information Technology environment. Absent the availability of essential data backups, this requires a wide range of IT skills, well-coordinated project management, and the willingness to work continuously until the job is complete.

For decades, Progent has offered certified expert Information Technology services for companies in Rockville and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise affords Progent the ability to rapidly understand important systems and organize the remaining pieces of your computer network environment following a crypto-ransomware penetration and rebuild them into an operational network.

Progent's security group uses best of breed project management tools to coordinate the complex restoration process. Progent appreciates the urgency of working swiftly and in concert with a customerís management and IT resources to prioritize tasks and to put the most important systems back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Recovery
A customer hired Progent after their organization was penetrated by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state criminal gangs, possibly adopting techniques leaked from Americaís NSA organization. Ryuk seeks specific organizations with little or no tolerance for disruption and is one of the most profitable incarnations of ransomware viruses. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has about 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200K) and hoping for the best, but in the end engaged Progent.


"I cannot tell you enough in regards to the expertise Progent gave us throughout the most stressful time of (our) companyís existence. We most likely would have paid the criminal gangs except for the confidence the Progent experts provided us. The fact that you were able to get our messaging and important applications back on-line faster than one week was something I thought impossible. Each consultant I worked with or communicated with at Progent was totally committed on getting us operational and was working non-stop to bail us out."

Progent worked with the customer to quickly assess and prioritize the critical systems that needed to be addressed to make it possible to continue departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the task of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís accounting and MRP software used Microsoft SQL, which depends on Active Directory for authentication to the database.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then accomplished setup and storage recovery of the most important applications. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Email Offline Folder Files) on user desktop computers to recover email messages. A not too old off-line backup of the businesses manufacturing software made it possible to restore these essential applications back online. Although a large amount of work was left to recover fully from the Ryuk virus, core systems were recovered rapidly:


"For the most part, the assembly line operation survived unscathed and we produced all customer shipments."

Over the following couple of weeks important milestones in the restoration process were achieved in tight collaboration between Progent team members and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were fully operational.
  • A new Palo Alto Networks 850 firewall was set up.
  • Ninety percent of the user workstations were functioning as before the incident.

"A huge amount of what transpired in the initial days is mostly a fog for me, but I will not forget the urgency each and every one of your team put in to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A possible enterprise-killing catastrophe was dodged with top-tier professionals, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack described here could have been prevented with advanced security technology solutions and best practices, staff training, and well thought out incident response procedures for information protection and applying software patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for making it so I could get some sleep after we made it through the most critical parts. All of you did an amazing job, and if any of your team is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Rockville a range of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services utilize modern machine learning capability to detect new variants of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to address the entire malware attack progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also assist you to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost and fully managed service for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows rapid restoration of critical data, applications and virtual machines that have become lost or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR consultants can provide advanced support to set up ProSight Data Protection Services to be compliant with regulatory standards like HIPPA, FIRPA, and PCI and, whenever needed, can assist you to recover your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and comprehensive protection for your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, track, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming network management activities, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding appliances that require important updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management personnel and your Progent consultant so any looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can save up to 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For Rockville 24-Hour Crypto Repair Experts, call Progent at 800-993-9400 or go to Contact Progent.