Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an enterprise-level danger for organizations vulnerable to an assault. Different iterations of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause havoc. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as more as yet unnamed malware, not only encrypt on-line files but also infect any available system protection mechanisms. Information synchronized to cloud environments can also be encrypted. In a poorly architected data protection solution, it can render automatic restore operations useless and basically sets the datacenter back to zero.

Recovering programs and information after a ransomware outage becomes a race against time as the targeted organization struggles to stop the spread and clear the ransomware and to resume enterprise-critical activity. Because ransomware takes time to spread, penetrations are frequently launched on weekends and holidays, when attacks typically take more time to recognize. This compounds the difficulty of rapidly assembling and orchestrating an experienced response team.

Progent offers an assortment of solutions for securing businesses from ransomware events. These include team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security solutions with artificial intelligence capabilities to intelligently discover and extinguish day-zero cyber threats. Progent also offers the services of veteran ransomware recovery consultants with the track record and commitment to rebuild a breached network as quickly as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the needed codes to unencrypt any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the essential elements of your Information Technology environment. Without the availability of complete information backups, this requires a broad complement of IT skills, top notch team management, and the capability to work non-stop until the job is over.

For decades, Progent has made available certified expert Information Technology services for businesses in Los Angeles and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand necessary systems and integrate the remaining parts of your network system following a crypto-ransomware penetration and configure them into a functioning system.

Progent's recovery team of experts deploys top notch project management applications to orchestrate the complex recovery process. Progent knows the urgency of working quickly and in concert with a client's management and IT staff to assign priority to tasks and to put the most important systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Restoration
A client sought out Progent after their network system was penetrated by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, possibly adopting techniques leaked from Americaís National Security Agency. Ryuk targets specific organizations with little tolerance for disruption and is among the most profitable instances of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area and has around 500 workers. The Ryuk penetration had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom (more than $200K) and praying for the best, but in the end made the decision to use Progent.


"I cannot speak enough about the support Progent provided us throughout the most stressful period of (our) companyís life. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent team gave us. The fact that you were able to get our e-mail and important servers back quicker than five days was something I thought impossible. Every single staff member I talked with or communicated with at Progent was urgently focused on getting us restored and was working non-stop on our behalf."

Progent worked hand in hand the customer to rapidly understand and assign priority to the mission critical areas that needed to be restored to make it possible to continue departmental functions:

  • Active Directory
  • Microsoft Exchange Email
  • MRP System
To begin, Progent adhered to ransomware penetration response industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the task of rebuilding Microsoft AD, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the client's accounting and MRP software used Microsoft SQL, which depends on Windows AD for security authorization to the database.

Within two days, Progent was able to restore Active Directory to its pre-virus state. Progent then helped perform setup and storage recovery of mission critical systems. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Off-Line Data Files) on staff desktop computers in order to recover email messages. A recent offline backup of the customerís accounting/MRP software made them able to restore these essential services back on-line. Although a lot of work still had to be done to recover fully from the Ryuk event, essential services were restored quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer deliverables."

Throughout the following month key milestones in the restoration project were made in close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the user desktops were being used by staff.

"A huge amount of what transpired during the initial response is nearly entirely a blur for me, but my team will not soon forget the dedication all of you put in to help get our company back. Iíve utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible business extinction catastrophe was evaded due to results-oriented professionals, a broad range of knowledge, and tight collaboration. Although in hindsight the ransomware virus attack detailed here would have been prevented with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and properly executed incident response procedures for data backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware attack, remember that Progent's team of professionals has proven experience in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for letting me get some sleep after we got past the first week. All of you did an amazing job, and if any of your team is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Los Angeles a range of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical files, applications and VMs that have become unavailable or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can help you to restore your business-critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to deliver web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper level of analysis for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, track, enhance and debug their networking appliances like routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are always current, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that need critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so all potential problems can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can save up to 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Los Angeles 24x7 CryptoLocker Recovery Experts, contact Progent at 800-462-8800 or go to Contact Progent.