Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Multiple generations of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to cause havoc. Newer versions of ransomware like Ryuk and Hermes, plus additional unnamed newcomers, not only encrypt on-line data files but also infect many available system backups. Data synched to cloud environments can also be ransomed. In a poorly architected system, this can make automated recovery impossible and basically sets the network back to square one.

Getting back online applications and information after a ransomware attack becomes a race against time as the victim tries its best to contain the damage and cleanup the crypto-ransomware and to resume business-critical operations. Because ransomware takes time to move laterally, assaults are usually launched during weekends and nights, when successful penetrations are likely to take more time to uncover. This compounds the difficulty of promptly assembling and coordinating a capable response team.

Progent provides an assortment of solutions for protecting businesses from crypto-ransomware penetrations. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with machine learning technology to quickly identify and quarantine new cyber attacks. Progent also provides the services of expert ransomware recovery engineers with the skills and perseverance to reconstruct a compromised network as rapidly as possible.

Progent's Ransomware Restoration Help
After a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will respond with the keys to unencrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the essential elements of your IT environment. Absent access to full system backups, this calls for a wide range of skill sets, top notch project management, and the ability to work non-stop until the job is over.

For two decades, Progent has provided certified expert IT services for companies in Boise and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience affords Progent the skills to knowledgably understand critical systems and organize the remaining parts of your network system after a ransomware event and configure them into a functioning network.

Progent's security group uses top notch project management systems to coordinate the complex recovery process. Progent understands the urgency of working swiftly and together with a client's management and Information Technology team members to assign priority to tasks and to get the most important services back on-line as soon as possible.

Client Story: A Successful Crypto-Ransomware Intrusion Response
A client sought out Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored criminal gangs, possibly adopting technology exposed from Americaís NSA organization. Ryuk attacks specific organizations with little ability to sustain disruption and is one of the most lucrative instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with around 500 employees. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's data backups had been on-line at the beginning of the intrusion and were destroyed. The client considered paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but ultimately made the decision to use Progent.


"I canít tell you enough in regards to the care Progent provided us throughout the most fearful time of (our) businesses life. We may have had to pay the cybercriminals except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and essential applications back sooner than seven days was beyond my wildest dreams. Each expert I talked with or texted at Progent was amazingly focused on getting our system up and was working day and night to bail us out."

Progent worked hand in hand the customer to rapidly understand and assign priority to the critical applications that had to be recovered in order to resume departmental operations:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To get going, Progent followed AV/Malware Processes penetration mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then started the work of recovering Microsoft AD, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange email will not operate without AD, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which depends on Active Directory services for authentication to the databases.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery of critical servers. All Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Folder Files) on various PCs in order to recover mail messages. A not too old offline backup of the client's accounting/MRP software made it possible to restore these required services back online. Although significant work remained to recover completely from the Ryuk event, critical systems were restored quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer shipments."

Over the next few weeks critical milestones in the recovery project were made through close cooperation between Progent team members and the customer:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Server with over four million historical messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were 100 percent recovered.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user PCs were back into operation.

"A huge amount of what was accomplished during the initial response is mostly a blur for me, but my management will not soon forget the urgency each of your team accomplished to give us our company back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A probable business-ending catastrophe was avoided with results-oriented professionals, a wide spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration described here would have been identified and blocked with modern cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed incident response procedures for backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thanks very much for allowing me to get some sleep after we made it through the most critical parts. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Boise a variety of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to uncover new variants of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to address the entire threat progression including filtering, identification, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate action. Progent can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of vital files, apps and VMs that have become unavailable or damaged as a result of component failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, when needed, can help you to recover your critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized control and world-class security for all your inbound and outbound email. The hybrid structure of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and debug their networking hardware like routers and switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are kept current, copies and displays the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that require important software patches, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system running efficiently by tracking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent consultant so all potential issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about ProSight IT Asset Management service.
For Boise 24/7 CryptoLocker Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.