Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that poses an existential danger for organizations unprepared for an attack. Different versions of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still cause destruction. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with frequent as yet unnamed viruses, not only do encryption of on-line information but also infiltrate many accessible system restores and backups. Files synchronized to cloud environments can also be encrypted. In a poorly architected system, it can render automated restoration impossible and effectively sets the datacenter back to zero.

Getting back on-line services and information following a ransomware attack becomes a race against time as the targeted organization tries its best to stop lateral movement and remove the virus and to restore enterprise-critical activity. Since ransomware takes time to move laterally, penetrations are frequently sprung during weekends and nights, when penetrations typically take longer to identify. This compounds the difficulty of promptly mobilizing and organizing a qualified response team.

Progent has a variety of support services for protecting businesses from ransomware events. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with artificial intelligence technology to automatically identify and suppress new threats. Progent in addition offers the services of veteran crypto-ransomware recovery consultants with the talent and commitment to re-deploy a compromised environment as quickly as possible.

Progent's Ransomware Restoration Services
Soon after a crypto-ransomware event, sending the ransom in cryptocurrency does not ensure that cyber criminals will respond with the keys to decrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the vital elements of your Information Technology environment. Without the availability of full system backups, this calls for a wide range of IT skills, top notch team management, and the ability to work 24x7 until the job is finished.

For two decades, Progent has made available certified expert Information Technology services for businesses in Barueri-Alphaville and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience gives Progent the skills to rapidly ascertain important systems and re-organize the remaining parts of your network system after a ransomware penetration and rebuild them into a functioning system.

Progent's ransomware group deploys best of breed project management systems to coordinate the complicated recovery process. Progent appreciates the importance of working swiftly and in unison with a customer’s management and Information Technology team members to prioritize tasks and to get critical systems back online as fast as possible.

Business Case Study: A Successful Ransomware Virus Recovery
A business sought out Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, suspected of adopting approaches leaked from the U.S. National Security Agency. Ryuk goes after specific organizations with little or no room for operational disruption and is among the most profitable examples of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago and has about 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately engaged Progent.


"I can’t thank you enough about the support Progent gave us throughout the most stressful period of (our) company’s existence. We had little choice but to pay the hackers behind this attack except for the confidence the Progent team provided us. That you could get our e-mail system and important applications back on-line quicker than 1 week was earth shattering. Every single staff member I spoke to or communicated with at Progent was amazingly focused on getting us operational and was working 24 by 7 to bail us out."

Progent worked together with the customer to rapidly identify and assign priority to the essential services that needed to be restored in order to resume business functions:

  • Active Directory
  • E-Mail
  • MRP System
To start, Progent adhered to AV/Malware Processes event mitigation best practices by isolating and clearing infected systems. Progent then started the task of recovering Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange email will not operate without AD, and the client's MRP system utilized SQL Server, which depends on Active Directory for access to the information.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then helped perform setup and storage recovery of the most important servers. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers and laptops to recover email information. A not too old off-line backup of the client's accounting/MRP systems made them able to return these required programs back on-line. Although a lot of work was left to recover completely from the Ryuk virus, core systems were restored rapidly:


"For the most part, the production operation was never shut down and we delivered all customer orders."

Over the next few weeks critical milestones in the restoration project were accomplished through tight collaboration between Progent engineers and the client:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Server containing more than 4 million archived messages was spun up and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were 100% restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what was accomplished in the initial days is mostly a blur for me, but my management will not soon forget the countless hours each of you put in to help get our company back. I’ve entrusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A likely company-ending catastrophe was evaded through the efforts of top-tier experts, a wide range of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident described here could have been identified and stopped with advanced security technology and ISO/IEC 27001 best practices, user education, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for letting me get some sleep after we got through the most critical parts. All of you did an incredible job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Barueri-Alphaville a variety of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services utilize next-generation AI technology to detect new strains of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP deployment that meets your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of vital files, apps and virtual machines that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide web-based management and world-class protection for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent’s ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that need critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent’s server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT staff and your assigned Progent consultant so all looming issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you’re planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Barueri-Alphaville Ransomware Removal Services, contact Progent at 800-993-9400 or go to Contact Progent.