Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an existential danger for businesses of all sizes poorly prepared for an attack. Different versions of ransomware such as Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. More recent variants of ransomware like Ryuk and Hermes, plus more as yet unnamed newcomers, not only encrypt online data but also infiltrate most accessible system restores and backups. Data replicated to the cloud can also be rendered useless. In a poorly architected system, it can render automatic restoration useless and basically knocks the network back to square one.

Getting back on-line services and information after a ransomware attack becomes a race against time as the victim tries its best to contain and remove the ransomware and to restore mission-critical operations. Since ransomware requires time to spread, attacks are usually sprung during weekends and nights, when successful penetrations may take more time to discover. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable response team.

Progent offers a variety of support services for securing organizations from ransomware penetrations. Among these are staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security solutions with artificial intelligence technology to intelligently discover and suppress day-zero cyber attacks. Progent in addition provides the assistance of veteran crypto-ransomware recovery engineers with the track record and perseverance to rebuild a breached environment as rapidly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the critical elements of your Information Technology environment. Without the availability of essential system backups, this calls for a broad complement of skills, well-coordinated team management, and the ability to work non-stop until the recovery project is completed.

For two decades, Progent has offered certified expert Information Technology services for companies in Los Angeles and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably determine important systems and consolidate the surviving parts of your computer network system after a ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts deploys powerful project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of acting rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put essential applications back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Penetration Response
A customer escalated to Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored cybercriminals, suspected of using techniques leaked from Americaís NSA organization. Ryuk attacks specific companies with little or no room for operational disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has around 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately made the decision to use Progent.


"I canít tell you enough about the expertise Progent provided us throughout the most critical time of (our) companyís existence. We most likely would have paid the Hackers if not for the confidence the Progent group gave us. That you were able to get our e-mail system and key servers back sooner than five days was earth shattering. Each expert I worked with or messaged at Progent was absolutely committed on getting our company operational and was working day and night to bail us out."

Progent worked with the customer to rapidly get our arms around and assign priority to the key elements that had to be restored to make it possible to restart business operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting/MRP
To get going, Progent adhered to ransomware event response best practices by stopping lateral movement and performing virus removal steps. Progent then began the task of bringing back online Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not function without Active Directory, and the businessesí financials and MRP system utilized SQL Server, which requires Windows AD for access to the databases.

Within two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then initiated reinstallations and storage recovery on the most important servers. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST files (Outlook Email Off-Line Folder Files) on team workstations and laptops to recover mail information. A not too old off-line backup of the client's accounting/MRP software made it possible to return these essential programs back online for users. Although major work remained to recover totally from the Ryuk event, the most important systems were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer deliverables."

During the following few weeks key milestones in the restoration process were completed in close cooperation between Progent engineers and the customer:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Server exceeding four million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • 90% of the user desktops were fully operational.

"A lot of what transpired during the initial response is nearly entirely a haze for me, but my team will not soon forget the commitment each of the team put in to help get our company back. Iíve entrusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."

Conclusion
A possible business-ending catastrophe was avoided with dedicated professionals, a wide spectrum of IT skills, and close collaboration. Although in retrospect the ransomware virus incident described here should have been stopped with current cyber security systems and security best practices, team education, and appropriate security procedures for data backup and applying software patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we got past the first week. All of you did an amazing job, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Los Angeles a portfolio of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to uncover new variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to address the entire malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies packaged within one agent accessible from a unified console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate attention. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates your backup processes and allows rapid restoration of vital data, applications and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can deliver world-class support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security vendors to provide web-based control and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, enhance and debug their connectivity hardware such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, finding appliances that need important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT personnel and your Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7x365 Los Angeles Crypto Cleanup Consulting, call Progent at 800-993-9400 or go to Contact Progent.