Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that represents an existential danger for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and still inflict harm. More recent versions of ransomware like Ryuk and Hermes, along with more as yet unnamed newcomers, not only encrypt on-line data but also infect many configured system protection mechanisms. Information synched to the cloud can also be encrypted. In a poorly architected system, this can make automated restore operations impossible and effectively knocks the datacenter back to square one.

Getting back services and information following a ransomware event becomes a race against the clock as the victim struggles to stop the spread and eradicate the ransomware and to resume enterprise-critical operations. Since ransomware needs time to replicate, attacks are usually sprung on weekends, when successful penetrations are likely to take more time to notice. This compounds the difficulty of rapidly assembling and orchestrating a qualified mitigation team.

Progent has an assortment of help services for securing organizations from crypto-ransomware attacks. Among these are user education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with AI technology to automatically identify and extinguish zero-day threats. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the track record and perseverance to re-deploy a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed codes to decipher all your data. Kaspersky determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the mission-critical elements of your IT environment. Absent the availability of complete information backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work 24x7 until the job is finished.

For decades, Progent has provided certified expert Information Technology services for companies in Lincoln and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of experience gives Progent the capability to quickly identify important systems and re-organize the remaining components of your Information Technology system following a ransomware attack and assemble them into a functioning network.

Progent's recovery team deploys best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the importance of acting quickly and together with a client's management and Information Technology staff to assign priority to tasks and to put the most important systems back on-line as soon as humanly possible.

Client Story: A Successful Ransomware Intrusion Response
A small business engaged Progent after their company was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state criminal gangs, suspected of using strategies leaked from the U.S. NSA organization. Ryuk targets specific businesses with limited room for operational disruption and is one of the most lucrative incarnations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago with around 500 workers. The Ryuk event had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and praying for good luck, but ultimately engaged Progent.


"I cannot tell you enough in regards to the expertise Progent provided us during the most critical period of (our) businesses survival. We most likely would have paid the Hackers if not for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and essential servers back quicker than a week was earth shattering. Every single expert I worked with or texted at Progent was urgently focused on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly determine and assign priority to the mission critical areas that needed to be addressed in order to resume business operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To start, Progent followed ransomware penetration response industry best practices by stopping the spread and cleaning up infected systems. Progent then started the process of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís accounting and MRP system leveraged Microsoft SQL, which depends on Active Directory for security authorization to the databases.

Within 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then accomplished reinstallations and storage recovery on the most important servers. All Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to collect local OST files (Outlook Email Offline Data Files) on various desktop computers in order to recover mail messages. A recent off-line backup of the client's accounting systems made it possible to recover these required programs back on-line. Although a lot of work remained to recover completely from the Ryuk event, critical systems were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer orders."

Over the following month important milestones in the restoration project were completed through close cooperation between Progent team members and the client:

  • In-house web sites were restored without losing any data.
  • The MailStore Server with over four million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control modules were 100% restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user workstations were operational.

"A huge amount of what was accomplished those first few days is mostly a haze for me, but I will not soon forget the countless hours each of the team put in to help get our company back. I have been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A probable business-ending disaster was avoided by dedicated experts, a broad spectrum of knowledge, and tight teamwork. Although in retrospect the crypto-ransomware virus penetration described here could have been stopped with up-to-date security technology solutions and best practices, team education, and well thought out security procedures for data backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get rested after we got past the first week. Everyone did an fabulous effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Lincoln a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to detect zero-day strains of crypto-ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent action. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows fast recovery of critical data, apps and virtual machines that have become lost or corrupted as a result of component breakdowns, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device provides a further layer of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, enhance and debug their connectivity appliances like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating tedious management activities, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that require important software patches, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Lincoln 24-7 Crypto-Ransomware Recovery Services, reach out to Progent at 800-993-9400 or go to Contact Progent.