Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses vulnerable to an attack. Versions of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent unnamed viruses, not only do encryption of on-line files but also infect most available system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, this can make automatic restore operations useless and effectively sets the network back to zero.

Recovering services and data after a ransomware attack becomes a sprint against the clock as the targeted business fights to stop lateral movement and eradicate the ransomware and to restore mission-critical activity. Because ransomware needs time to move laterally, penetrations are often launched during nights and weekends, when successful penetrations typically take longer to detect. This compounds the difficulty of quickly marshalling and organizing a qualified mitigation team.

Progent offers a range of help services for protecting organizations from ransomware penetrations. These include team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security solutions with AI capabilities to automatically discover and extinguish zero-day threats. Progent also offers the services of experienced ransomware recovery engineers with the skills and commitment to restore a breached system as urgently as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the keys to decipher any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the key elements of your Information Technology environment. Without access to full data backups, this calls for a broad complement of IT skills, professional project management, and the ability to work continuously until the task is done.

For twenty years, Progent has made available certified expert Information Technology services for companies in Minneapolis and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the ability to efficiently determine critical systems and re-organize the remaining components of your network system after a ransomware attack and configure them into an operational system.

Progent's ransomware team of experts deploys state-of-the-art project management applications to orchestrate the complex restoration process. Progent understands the urgency of working quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get critical systems back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A business sought out Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, possibly adopting techniques exposed from Americaís NSA organization. Ryuk goes after specific businesses with little room for operational disruption and is one of the most lucrative versions of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago with about 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the intrusion and were encrypted. The client considered paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.


"I cannot tell you enough in regards to the help Progent provided us throughout the most critical time of (our) companyís survival. We would have paid the cybercriminals except for the confidence the Progent experts gave us. That you could get our e-mail and essential applications back into operation faster than one week was incredible. Every single person I interacted with or communicated with at Progent was urgently focused on getting us restored and was working 24 by 7 to bail us out."

Progent worked with the customer to quickly get our arms around and assign priority to the key applications that had to be addressed in order to restart departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent followed ransomware event response industry best practices by halting lateral movement and disinfecting systems. Progent then started the steps of recovering Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the customerís MRP software leveraged SQL Server, which needs Windows AD for security authorization to the databases.

Within two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery on mission critical servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Offline Data Files) on user PCs in order to recover mail information. A not too old off-line backup of the businesses financials/MRP systems made it possible to recover these essential services back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, the most important systems were recovered rapidly:


"For the most part, the production operation was never shut down and we did not miss any customer orders."

Over the next few weeks important milestones in the restoration project were made in tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were completely operational.
  • A new Palo Alto 850 firewall was deployed.
  • Most of the user workstations were functioning as before the incident.

"So much of what occurred during the initial response is mostly a haze for me, but my management will not soon forget the commitment each of you accomplished to help get our company back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This event was a life saver."

Conclusion
A probable business-ending disaster was avoided due to hard-working experts, a broad range of IT skills, and close collaboration. Although upon completion of forensics the ransomware penetration detailed here would have been shut down with advanced cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get rested after we made it past the initial push. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Minneapolis a range of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence capability to detect new strains of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to manage the entire threat lifecycle including blocking, identification, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools packaged within one agent managed from a single console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help you to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates your backup processes and allows rapid restoration of vital files, applications and VMs that have become lost or corrupted as a result of component breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can help you to restore your critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide centralized control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, enhance and troubleshoot their networking appliances like routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex network management activities, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating devices that require important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network operating efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that all potential problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 Minneapolis Crypto-Ransomware Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.