Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyberplague that presents an existential danger for organizations unprepared for an assault. Versions of ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict destruction. Modern versions of ransomware such as Ryuk and Hermes, as well as daily unnamed newcomers, not only do encryption of on-line data files but also infect any available system backups. Files replicated to cloud environments can also be corrupted. In a poorly architected environment, it can render automated restoration useless and effectively sets the network back to square one.

Getting back on-line programs and information following a ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement and clear the crypto-ransomware and to resume mission-critical activity. Because crypto-ransomware takes time to replicate, attacks are usually sprung during nights and weekends, when attacks tend to take longer to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.

Progent has a range of support services for securing businesses from ransomware events. Among these are staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with machine learning technology to intelligently detect and quarantine zero-day cyber attacks. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery engineers with the talent and commitment to reconstruct a compromised network as rapidly as possible.

Progent's Ransomware Restoration Help
After a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the codes to unencrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the critical parts of your Information Technology environment. Absent access to essential system backups, this calls for a broad complement of skill sets, professional team management, and the capability to work continuously until the recovery project is done.

For twenty years, Progent has provided certified expert Information Technology services for companies in Anaheim and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise gives Progent the capability to efficiently ascertain critical systems and integrate the surviving parts of your network environment after a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team deploys powerful project management systems to orchestrate the complicated recovery process. Progent understands the urgency of working quickly and in unison with a customerís management and IT team members to prioritize tasks and to put critical applications back on line as soon as humanly possible.

Client Story: A Successful Ransomware Penetration Recovery
A small business hired Progent after their network was attacked by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored hackers, possibly using algorithms leaked from the U.S. NSA organization. Ryuk attacks specific businesses with limited ability to sustain disruption and is among the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the time of the attack and were destroyed. The client considered paying the ransom (more than $200,000) and praying for the best, but in the end utilized Progent.


"I cannot speak enough in regards to the care Progent provided us during the most fearful time of (our) companyís existence. We may have had to pay the cybercriminals if not for the confidence the Progent group gave us. That you were able to get our e-mail system and critical applications back online quicker than a week was incredible. Every single consultant I worked with or texted at Progent was laser focused on getting us restored and was working non-stop on our behalf."

Progent worked with the customer to quickly understand and assign priority to the most important services that had to be recovered to make it possible to continue business functions:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent adhered to ransomware incident mitigation best practices by stopping lateral movement and disinfecting systems. Progent then initiated the steps of bringing back online Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the businessesí accounting and MRP software used Microsoft SQL Server, which depends on Windows AD for access to the information.

In less than two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated rebuilding and hard drive recovery of essential servers. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Offline Data Files) on various PCs and laptops in order to recover mail messages. A not too old off-line backup of the customerís financials/MRP systems made them able to return these essential programs back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, the most important services were returned to operations rapidly:


"For the most part, the production operation did not miss a beat and we did not miss any customer orders."

Over the following couple of weeks key milestones in the restoration process were made in close cooperation between Progent team members and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Exchange Server containing more than 4 million archived messages was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the desktops and laptops were back into operation.

"Much of what occurred during the initial response is nearly entirely a haze for me, but I will not soon forget the countless hours each of your team put in to help get our business back. I have been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible business disaster was evaded due to top-tier professionals, a broad array of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus penetration detailed here would have been identified and disabled with current security solutions and recognized best practices, user and IT administrator training, and appropriate security procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for allowing me to get some sleep after we made it over the initial fire. Everyone did an fabulous effort, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Anaheim a range of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include next-generation machine learning technology to detect new variants of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates and monitors your backup activities and enables rapid restoration of vital data, apps and virtual machines that have become unavailable or damaged as a result of hardware failures, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver world-class support to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can help you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security vendors to deliver web-based control and comprehensive security for all your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that need critical updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent consultant so that all potential problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour Anaheim Ransomware Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.