Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ConsultantsRansomware has become an escalating cyber pandemic that presents an extinction-level danger for businesses of all sizes poorly prepared for an attack. Different versions of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. The latest strains of ransomware like Ryuk and Hermes, as well as frequent unnamed viruses, not only do encryption of online files but also infiltrate all configured system protection mechanisms. Data synched to cloud environments can also be rendered useless. In a poorly designed environment, this can render automatic restore operations useless and effectively knocks the datacenter back to zero.

Getting back on-line services and information after a ransomware intrusion becomes a sprint against time as the targeted business fights to stop lateral movement and clear the ransomware and to resume business-critical operations. Due to the fact that ransomware takes time to spread, assaults are frequently launched on weekends and holidays, when successful attacks are likely to take longer to identify. This multiplies the difficulty of promptly marshalling and orchestrating a qualified response team.

Progent makes available an assortment of support services for protecting businesses from ransomware penetrations. Among these are team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with artificial intelligence capabilities to rapidly identify and disable new cyber threats. Progent in addition can provide the services of seasoned crypto-ransomware recovery professionals with the talent and perseverance to restore a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the key parts of your Information Technology environment. Without access to essential system backups, this requires a wide complement of skills, top notch team management, and the willingness to work 24x7 until the recovery project is completed.

For two decades, Progent has provided professional IT services for businesses in San Diego and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise affords Progent the capability to quickly determine critical systems and integrate the surviving components of your Information Technology system after a ransomware event and configure them into an operational system.

Progent's security team of experts has top notch project management applications to orchestrate the complicated restoration process. Progent understands the importance of acting swiftly and in unison with a client's management and IT resources to prioritize tasks and to get critical applications back online as soon as possible.

Business Case Study: A Successful Ransomware Penetration Recovery
A business hired Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state criminal gangs, suspected of adopting approaches exposed from Americaís National Security Agency. Ryuk goes after specific businesses with little or no room for operational disruption and is one of the most lucrative iterations of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area with about 500 workers. The Ryuk intrusion had shut down all essential operations and manufacturing processes. The majority of the client's backups had been online at the start of the attack and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and praying for good luck, but ultimately brought in Progent.


"I cannot say enough in regards to the expertise Progent provided us during the most critical period of (our) businesses life. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent group afforded us. That you could get our e-mail system and key servers back quicker than five days was earth shattering. Each expert I worked with or messaged at Progent was amazingly focused on getting us restored and was working all day and night to bail us out."

Progent worked with the customer to quickly determine and assign priority to the essential elements that needed to be addressed in order to resume company functions:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To start, Progent followed Anti-virus penetration mitigation industry best practices by halting the spread and clearing infected systems. Progent then started the task of restoring Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís financials and MRP software utilized Microsoft SQL, which requires Active Directory for security authorization to the databases.

Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then completed rebuilding and hard drive recovery on needed applications. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Data Files) on user desktop computers and laptops to recover mail information. A recent offline backup of the businesses accounting/ERP systems made it possible to restore these vital programs back on-line. Although a large amount of work was left to recover fully from the Ryuk damage, the most important systems were returned to operations quickly:


"For the most part, the production operation ran fairly normal throughout and we did not miss any customer orders."

Over the following couple of weeks important milestones in the recovery process were completed in close cooperation between Progent team members and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely operational.
  • A new Palo Alto 850 firewall was installed and configured.
  • Nearly all of the user workstations were back into operation.

"A huge amount of what happened during the initial response is nearly entirely a fog for me, but we will not forget the commitment all of your team put in to give us our business back. Iíve been working together with Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A potential business-killing catastrophe was evaded with top-tier experts, a broad array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware incident detailed here should have been identified and prevented with up-to-date cyber security technology and security best practices, team education, and properly executed security procedures for information protection and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get some sleep after we got over the initial fire. Everyone did an incredible effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in San Diego a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence technology to detect new strains of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to automate the complete threat lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your organization's specific requirements and that allows you demonstrate compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates your backup activities and allows fast recovery of critical files, applications and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's cloud backup specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory standards like HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to deliver web-based management and comprehensive security for all your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of analysis for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, enhance and debug their connectivity hardware such as switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding appliances that need critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT staff and your Progent engineering consultant so all potential issues can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For San Diego 24-Hour CryptoLocker Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.