Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause damage. Recent variants of crypto-ransomware like Ryuk and Hermes, along with frequent unnamed newcomers, not only do encryption of online data files but also infiltrate all accessible system restores and backups. Files replicated to cloud environments can also be rendered useless. In a poorly architected environment, it can make automatic recovery impossible and basically knocks the datacenter back to zero.

Restoring applications and data following a crypto-ransomware outage becomes a race against the clock as the targeted business tries its best to contain the damage and clear the crypto-ransomware and to resume business-critical operations. Since ransomware needs time to spread, penetrations are frequently sprung during nights and weekends, when successful attacks typically take more time to detect. This compounds the difficulty of quickly assembling and orchestrating a capable response team.

Progent makes available a range of services for protecting organizations from ransomware events. Among these are user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security solutions with artificial intelligence capabilities to quickly detect and disable day-zero cyber attacks. Progent in addition offers the assistance of veteran ransomware recovery engineers with the skills and perseverance to reconstruct a breached system as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will provide the codes to decrypt any of your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the mission-critical components of your IT environment. Without the availability of essential information backups, this requires a wide range of skills, top notch team management, and the willingness to work continuously until the job is done.

For decades, Progent has offered professional IT services for companies in Springfield and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience provides Progent the capability to rapidly understand important systems and organize the remaining components of your computer network environment following a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts deploys state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of working rapidly and in concert with a customerís management and IT resources to assign priority to tasks and to put key applications back online as fast as possible.

Customer Story: A Successful Ransomware Penetration Restoration
A client engaged Progent after their network was attacked by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored criminal gangs, suspected of adopting approaches exposed from Americaís NSA organization. Ryuk seeks specific companies with limited tolerance for operational disruption and is among the most profitable iterations of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding $200,000) and hoping for good luck, but ultimately reached out to Progent.


"I canít speak enough about the help Progent provided us throughout the most stressful time of (our) businesses existence. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our e-mail system and critical servers back sooner than seven days was something I thought impossible. Each expert I interacted with or e-mailed at Progent was urgently focused on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked with the customer to quickly get our arms around and prioritize the key services that needed to be recovered in order to continue company operations:

  • Windows Active Directory
  • Exchange Server
  • Financials/MRP
To start, Progent followed Anti-virus penetration mitigation best practices by stopping the spread and performing virus removal steps. Progent then started the work of restoring Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the customerís financials and MRP system utilized SQL Server, which requires Active Directory services for access to the databases.

Within two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then completed setup and storage recovery on key systems. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Folder Files) on team workstations in order to recover mail data. A recent off-line backup of the businesses accounting/ERP systems made it possible to return these essential programs back available to users. Although significant work was left to recover totally from the Ryuk event, essential systems were recovered quickly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer deliverables."

Throughout the following couple of weeks important milestones in the restoration project were completed in tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived messages was spun up and accessible to users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control modules were 100 percent operational.
  • A new Palo Alto 850 firewall was installed and configured.
  • Most of the user workstations were being used by staff.

"Much of what happened in the early hours is mostly a fog for me, but my team will not soon forget the dedication each and every one of your team put in to give us our business back. Iíve utilized Progent for the past ten years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."

Conclusion
A probable enterprise-killing catastrophe was evaded due to top-tier experts, a wide spectrum of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware attack described here would have been identified and stopped with current security technology and ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for making it so I could get some sleep after we got past the initial push. All of you did an incredible effort, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Springfield a portfolio of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence technology to detect new strains of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-based AV products. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to manage the complete malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of vital data, apps and virtual machines that have become unavailable or damaged as a result of component breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to configure ProSight DPS to to comply with regulatory standards like HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to deliver web-based management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper layer of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, track, reconfigure and debug their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating time-consuming management activities, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that require important software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management personnel and your Progent consultant so that all looming issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For Springfield 24x7 Crypto-Ransomware Recovery Support Services, call Progent at 800-993-9400 or go to Contact Progent.