Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that presents an existential danger for organizations vulnerable to an assault. Multiple generations of ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. More recent variants of ransomware like Ryuk and Hermes, as well as frequent as yet unnamed malware, not only do encryption of on-line information but also infiltrate most configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can render automated restore operations impossible and effectively sets the entire system back to square one.

Recovering services and data after a ransomware attack becomes a sprint against the clock as the victim tries its best to stop lateral movement and cleanup the ransomware and to restore enterprise-critical operations. Since ransomware requires time to spread, assaults are often sprung during weekends and nights, when successful attacks in many cases take longer to identify. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable response team.

Progent offers an assortment of support services for securing businesses from crypto-ransomware penetrations. These include team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security gateways with machine learning technology to rapidly detect and disable zero-day cyber attacks. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery consultants with the talent and commitment to reconstruct a breached system as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the codes to decrypt any of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full information backups, this requires a wide range of skill sets, professional team management, and the capability to work continuously until the task is over.

For twenty years, Progent has made available certified expert Information Technology services for companies in Bellevue and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the capability to rapidly ascertain necessary systems and re-organize the remaining components of your computer network environment following a crypto-ransomware attack and configure them into an operational network.

Progent's security team has state-of-the-art project management systems to orchestrate the complicated recovery process. Progent understands the importance of working swiftly and together with a customerís management and Information Technology staff to prioritize tasks and to get the most important systems back on-line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Virus Recovery
A small business contacted Progent after their company was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of adopting strategies leaked from the United States NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most lucrative incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has around 500 workers. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the attack and were encrypted. The client considered paying the ransom (in excess of $200K) and praying for good luck, but ultimately made the decision to use Progent.


"I canít thank you enough about the care Progent provided us during the most critical time of (our) companyís survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group provided us. The fact that you were able to get our e-mail and critical servers back online sooner than a week was incredible. Every single person I worked with or messaged at Progent was amazingly focused on getting our system up and was working breakneck pace on our behalf."

Progent worked hand in hand the client to quickly understand and assign priority to the mission critical systems that had to be addressed in order to continue company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting/MRP
To start, Progent adhered to Anti-virus incident response industry best practices by halting the spread and cleaning systems of viruses. Progent then began the process of bringing back online Microsoft Active Directory, the heart of enterprise environments built on Microsoft technology. Exchange email will not operate without Active Directory, and the businessesí financials and MRP software leveraged Microsoft SQL, which needs Windows AD for access to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished setup and hard drive recovery of the most important applications. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to find intact OST data files (Outlook Off-Line Folder Files) on team PCs to recover email data. A recent offline backup of the businesses manufacturing software made it possible to return these vital services back online. Although a large amount of work still had to be done to recover completely from the Ryuk event, critical systems were recovered quickly:


"For the most part, the assembly line operation did not miss a beat and we made all customer sales."

Throughout the next month critical milestones in the restoration process were accomplished through tight collaboration between Progent consultants and the customer:

  • Internal web applications were brought back up with no loss of information.
  • The MailStore Exchange Server with over four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was installed.
  • 90% of the user PCs were functioning as before the incident.

"A huge amount of what went on that first week is nearly entirely a blur for me, but I will not forget the commitment each of the team put in to help get our business back. Iíve utilized Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A potential business extinction catastrophe was dodged due to hard-working professionals, a wide spectrum of technical expertise, and close collaboration. Although in post mortem the ransomware virus incident described here could have been identified and prevented with current security systems and security best practices, team education, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we got over the first week. All of you did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Bellevue a range of online monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to uncover zero-day strains of crypto-ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the complete threat progression including filtering, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your company's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates your backup activities and enables fast restoration of critical data, apps and VMs that have become lost or damaged due to hardware breakdowns, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can provide world-class support to configure ProSight Data Protection Services to to comply with regulatory standards such as HIPPA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security companies to provide web-based control and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and keeps most unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, enhance and debug their connectivity hardware such as routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that network diagrams are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating tedious network management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that need important software patches, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT staff and your Progent consultant so all looming problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For Bellevue 24/7 CryptoLocker Cleanup Help, call Progent at 800-993-9400 or go to Contact Progent.