Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an enterprise-level threat for businesses poorly prepared for an assault. Versions of crypto-ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict harm. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus frequent unnamed viruses, not only encrypt online data files but also infiltrate all available system protection. Data synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make any recovery impossible and basically sets the datacenter back to zero.

Retrieving services and data after a ransomware event becomes a race against the clock as the targeted organization fights to contain the damage and cleanup the crypto-ransomware and to resume mission-critical operations. Because ransomware requires time to replicate, penetrations are frequently sprung on weekends and holidays, when attacks tend to take longer to recognize. This multiplies the difficulty of quickly assembling and organizing a knowledgeable response team.

Progent has a range of solutions for securing enterprises from crypto-ransomware events. Among these are user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with machine learning technology to rapidly detect and suppress day-zero cyber attacks. Progent in addition can provide the services of veteran ransomware recovery professionals with the track record and perseverance to reconstruct a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will return the codes to decipher all your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the mission-critical elements of your IT environment. Absent access to full system backups, this requires a broad range of skills, professional team management, and the capability to work continuously until the task is done.

For twenty years, Progent has provided expert IT services for businesses in San Diego and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience affords Progent the skills to quickly determine critical systems and consolidate the surviving pieces of your IT system after a ransomware event and assemble them into an operational network.

Progent's security team deploys top notch project management systems to coordinate the complex restoration process. Progent knows the urgency of working rapidly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to get essential systems back on line as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Attack Response
A business sought out Progent after their network system was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, possibly using technology leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with little ability to sustain disruption and is one of the most profitable iterations of ransomware viruses. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most stressful period of (our) companyís existence. We may have had to pay the Hackers if it wasnít for the confidence the Progent team afforded us. That you could get our e-mail and critical servers back online sooner than 1 week was incredible. Each consultant I got help from or e-mailed at Progent was urgently focused on getting us operational and was working at all hours on our behalf."

Progent worked with the customer to quickly assess and prioritize the essential services that needed to be addressed to make it possible to restart business functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent followed ransomware event response industry best practices by stopping the spread and cleaning up infected systems. Progent then started the process of restoring Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the customerís accounting and MRP applications leveraged Microsoft SQL, which requires Windows AD for access to the databases.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery on key systems. All Exchange data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Off-Line Folder Files) on team PCs and laptops in order to recover mail information. A recent off-line backup of the client's financials/ERP systems made them able to return these vital applications back online for users. Although significant work was left to recover fully from the Ryuk virus, critical systems were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we did not miss any customer orders."

During the next month key milestones in the restoration project were accomplished through close collaboration between Progent consultants and the customer:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Server with over four million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto 850 firewall was installed.
  • Most of the user desktops and notebooks were being used by staff.

"A lot of what went on during the initial response is nearly entirely a haze for me, but my management will not forget the countless hours all of the team put in to give us our business back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A possible business extinction disaster was dodged with results-oriented professionals, a wide array of IT skills, and close collaboration. Although in post mortem the ransomware virus attack described here should have been stopped with advanced security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed security procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for making it so I could get rested after we got through the first week. All of you did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in San Diego a range of online monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day strains of crypto-ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching AV products. ProSight ASM protects local and cloud-based resources and offers a single platform to address the entire threat lifecycle including protection, identification, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering via cutting-edge tools packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost end-to-end service for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital data, applications and VMs that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can provide advanced support to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to deliver centralized control and world-class security for your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and keeps most threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for inbound email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map, monitor, enhance and debug their connectivity appliances such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that need important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your network running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT staff and your Progent consultant so that all potential problems can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hosting environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can eliminate up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For San Diego 24x7 CryptoLocker Repair Support Services, call Progent at 800-462-8800 or go to Contact Progent.