Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that presents an existential danger for businesses vulnerable to an attack. Multiple generations of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as frequent as yet unnamed viruses, not only do encryption of online information but also infect any available system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can render automatic restore operations impossible and effectively sets the datacenter back to zero.

Retrieving applications and information following a crypto-ransomware event becomes a sprint against time as the victim fights to contain and cleanup the ransomware and to restore business-critical operations. Since ransomware needs time to spread, attacks are often launched during nights and weekends, when penetrations in many cases take more time to notice. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable mitigation team.

Progent offers a variety of support services for protecting businesses from ransomware attacks. Among these are staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security appliances with artificial intelligence technology to quickly discover and quarantine day-zero threats. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the talent and commitment to re-deploy a compromised system as quickly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the codes to decipher all your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to re-install the vital components of your IT environment. Absent the availability of full data backups, this requires a wide complement of skills, well-coordinated team management, and the capability to work non-stop until the recovery project is over.

For decades, Progent has offered certified expert Information Technology services for companies in Los Angeles and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise gives Progent the capability to rapidly understand important systems and re-organize the surviving parts of your network system after a ransomware penetration and assemble them into an operational network.

Progent's recovery group has top notch project management systems to coordinate the complicated restoration process. Progent knows the urgency of acting rapidly and together with a client's management and IT team members to prioritize tasks and to get key systems back online as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Response
A business contacted Progent after their network system was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored cybercriminals, suspected of using approaches exposed from the United States NSA organization. Ryuk seeks specific businesses with little or no room for operational disruption and is among the most lucrative incarnations of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has about 500 employees. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.


"I canít say enough in regards to the support Progent gave us during the most fearful period of (our) companyís survival. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and key applications back on-line quicker than a week was incredible. Every single consultant I spoke to or messaged at Progent was hell bent on getting us back online and was working 24 by 7 to bail us out."

Progent worked together with the client to rapidly determine and prioritize the key applications that had to be addressed in order to restart company operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent adhered to ransomware incident mitigation industry best practices by halting the spread and disinfecting systems. Progent then initiated the process of bringing back online Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the client's financials and MRP software used Microsoft SQL, which depends on Active Directory for authentication to the database.

Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then accomplished setup and hard drive recovery on essential servers. All Exchange data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Data Files) on various workstations to recover mail data. A not too old off-line backup of the client's accounting/MRP systems made it possible to restore these essential programs back on-line. Although major work needed to be completed to recover totally from the Ryuk damage, essential services were recovered rapidly:


"For the most part, the production manufacturing operation survived unscathed and we delivered all customer shipments."

During the following month important milestones in the restoration process were completed through tight cooperation between Progent team members and the client:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Exchange Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the desktops and laptops were fully operational.

"Much of what was accomplished that first week is mostly a blur for me, but my management will not soon forget the commitment each of the team put in to give us our business back. I have been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A probable enterprise-killing catastrophe was avoided due to top-tier professionals, a broad range of technical expertise, and close collaboration. Although in hindsight the ransomware attack described here could have been stopped with up-to-date security technology solutions and ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for information backup and proper patching controls, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for allowing me to get rested after we got past the initial fire. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Los Angeles a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation AI capability to detect new variants of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to manage the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and allows rapid restoration of critical data, apps and VMs that have become unavailable or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to deliver centralized control and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of inspection for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept updated, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates notices when problems are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding appliances that need critical updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your network running at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT staff and your Progent engineering consultant so any potential problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can save up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about ProSight IT Asset Management service.
For Los Angeles 24x7x365 Crypto-Ransomware Removal Consulting, call Progent at 800-993-9400 or go to Contact Progent.