Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an existential threat for organizations vulnerable to an assault. Multiple generations of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict damage. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus frequent unnamed newcomers, not only encrypt on-line information but also infect all accessible system backup. Files synched to cloud environments can also be ransomed. In a vulnerable environment, it can render automated restoration hopeless and basically sets the entire system back to square one.

Retrieving applications and information following a ransomware outage becomes a race against time as the victim tries its best to stop the spread and eradicate the ransomware and to restore enterprise-critical activity. Because ransomware needs time to spread, penetrations are frequently sprung during nights and weekends, when attacks typically take more time to notice. This compounds the difficulty of rapidly assembling and orchestrating a qualified mitigation team.

Progent provides an assortment of support services for protecting enterprises from ransomware attacks. These include user training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence capabilities to rapidly identify and extinguish day-zero cyber threats. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the talent and commitment to rebuild a breached system as soon as possible.

Progent's Ransomware Restoration Help
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the keys to decrypt any of your information. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the essential parts of your IT environment. Without the availability of full information backups, this requires a broad range of skill sets, professional team management, and the capability to work non-stop until the job is over.

For two decades, Progent has made available professional IT services for companies in Southlake and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise affords Progent the capability to quickly understand necessary systems and organize the surviving pieces of your Information Technology system following a ransomware event and configure them into an operational network.

Progent's security group uses top notch project management tools to coordinate the sophisticated recovery process. Progent knows the importance of working swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get critical services back online as soon as possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Response
A customer contacted Progent after their network was attacked by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored cybercriminals, possibly adopting algorithms leaked from the United States NSA organization. Ryuk attacks specific companies with limited room for operational disruption and is among the most lucrative incarnations of ransomware malware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with around 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but ultimately called Progent.


"I cannot thank you enough about the expertise Progent provided us during the most critical period of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you could get our e-mail and key applications back on-line sooner than a week was amazing. Each expert I spoke to or texted at Progent was urgently focused on getting our company operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly assess and prioritize the key systems that needed to be recovered to make it possible to continue business operations:

  • Active Directory (AD)
  • Email
  • Financials/MRP
To get going, Progent followed Anti-virus penetration mitigation industry best practices by isolating and cleaning up infected systems. Progent then initiated the work of recovering Microsoft AD, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí financials and MRP software leveraged Microsoft SQL, which requires Windows AD for security authorization to the databases.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then completed setup and hard drive recovery of the most important applications. All Exchange schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on team workstations and laptops in order to recover email information. A not too old off-line backup of the customerís accounting systems made them able to recover these required programs back available to users. Although a lot of work still had to be done to recover totally from the Ryuk event, critical services were restored quickly:


"For the most part, the production operation showed little impact and we did not miss any customer shipments."

Throughout the next month key milestones in the recovery project were made in tight collaboration between Progent consultants and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100 percent functional.
  • A new Palo Alto 850 firewall was deployed.
  • Ninety percent of the user desktops were operational.

"A huge amount of what occurred that first week is mostly a blur for me, but we will not forget the countless hours all of you accomplished to help get our company back. I have trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A probable business catastrophe was dodged by hard-working professionals, a wide spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here could have been stopped with advanced security technology and best practices, team education, and well thought out incident response procedures for data protection and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for allowing me to get rested after we made it past the initial fire. All of you did an impressive effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Southlake a portfolio of remote monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to uncover new variants of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to address the entire malware attack progression including filtering, identification, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent can also help your company to install and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a low monthly rate, ProSight DPS automates your backup activities and allows fast restoration of critical data, apps and VMs that have become lost or corrupted as a result of component failures, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security companies to provide web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further layer of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, monitor, optimize and troubleshoot their connectivity hardware like switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, finding devices that need critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT personnel and your Progent consultant so any looming problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about ProSight IT Asset Management service.
For 24-7 Southlake CryptoLocker Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.