Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that presents an enterprise-level danger for organizations vulnerable to an assault. Versions of ransomware such as CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict havoc. The latest strains of crypto-ransomware like Ryuk and Hermes, plus more as yet unnamed malware, not only encrypt online information but also infiltrate all accessible system backup. Files synchronized to the cloud can also be rendered useless. In a poorly designed environment, this can make any recovery impossible and effectively knocks the network back to zero.

Getting back services and data following a ransomware event becomes a sprint against the clock as the targeted business struggles to contain the damage and eradicate the virus and to resume enterprise-critical activity. Because ransomware requires time to move laterally, penetrations are usually launched on weekends and holidays, when successful attacks tend to take longer to discover. This multiplies the difficulty of quickly assembling and coordinating a qualified mitigation team.

Progent makes available a variety of support services for securing enterprises from ransomware attacks. These include team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with AI technology to rapidly detect and disable zero-day cyber threats. Progent in addition offers the services of expert ransomware recovery engineers with the talent and commitment to restore a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the codes to decrypt any or all of your information. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the critical components of your IT environment. Without the availability of complete data backups, this requires a broad range of skills, well-coordinated project management, and the ability to work continuously until the task is completed.

For decades, Progent has made available certified expert IT services for businesses in Montgomery and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience affords Progent the capability to quickly ascertain necessary systems and integrate the surviving pieces of your Information Technology system following a crypto-ransomware penetration and assemble them into an operational network.

Progent's recovery group has powerful project management applications to coordinate the complex restoration process. Progent appreciates the importance of working swiftly and in unison with a client's management and IT resources to prioritize tasks and to put essential systems back on-line as fast as humanly possible.

Client Story: A Successful Ransomware Intrusion Restoration
A client hired Progent after their organization was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored hackers, possibly using approaches exposed from Americaís NSA organization. Ryuk seeks specific organizations with limited ability to sustain disruption and is among the most lucrative examples of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with around 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately brought in Progent.


"I cannot speak enough in regards to the care Progent gave us during the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you could get our e-mail system and important applications back on-line in less than seven days was incredible. Each expert I talked with or communicated with at Progent was absolutely committed on getting us operational and was working day and night on our behalf."

Progent worked with the customer to quickly assess and assign priority to the mission critical areas that needed to be recovered in order to resume company functions:

  • Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To get going, Progent followed Anti-virus penetration response industry best practices by halting the spread and cleaning systems of viruses. Progent then started the steps of recovering Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange email will not function without AD, and the client's MRP system used Microsoft SQL, which depends on Windows AD for security authorization to the information.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then initiated rebuilding and storage recovery of the most important systems. All Microsoft Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on various workstations in order to recover mail information. A not too old offline backup of the client's financials/ERP systems made them able to restore these essential services back available to users. Although a lot of work remained to recover fully from the Ryuk event, core systems were recovered quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer shipments."

During the following few weeks critical milestones in the restoration process were made in tight collaboration between Progent consultants and the customer:

  • In-house web applications were restored with no loss of data.
  • The MailStore Server with over four million historical emails was spun up and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were completely restored.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the user desktops were functioning as before the incident.

"A huge amount of what was accomplished during the initial response is nearly entirely a fog for me, but my management will not forget the care each and every one of your team accomplished to help get our company back. Iíve utilized Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was a testament to your capabilities."

Conclusion
A possible company-ending disaster was dodged with hard-working experts, a wide range of subject matter expertise, and close collaboration. Although in hindsight the crypto-ransomware incident described here should have been identified and blocked with modern security technology and security best practices, team education, and well thought out security procedures for data protection and proper patching controls, the fact is that state-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for letting me get some sleep after we made it through the first week. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Montgomery a range of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence capability to detect new variants of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete threat lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also assist your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates your backup processes and allows rapid recovery of critical data, applications and virtual machines that have become lost or damaged due to hardware failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to deliver web-based control and world-class protection for your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further layer of analysis for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, reconfigure and debug their networking hardware like switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding devices that need important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that all potential problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7 Montgomery Crypto-Ransomware Cleanup Help, contact Progent at 800-993-9400 or go to Contact Progent.