Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that represents an existential danger for organizations unprepared for an assault. Different versions of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to cause damage. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as frequent unnamed newcomers, not only do encryption of on-line information but also infiltrate most available system restores and backups. Information replicated to cloud environments can also be rendered useless. In a vulnerable system, this can make automated recovery hopeless and effectively sets the network back to zero.

Getting back on-line services and information following a crypto-ransomware event becomes a race against the clock as the targeted organization struggles to contain and clear the crypto-ransomware and to restore business-critical activity. Since ransomware requires time to replicate, attacks are often sprung during weekends and nights, when penetrations are likely to take longer to recognize. This multiplies the difficulty of rapidly assembling and coordinating a qualified response team.

Progent provides a range of services for securing businesses from ransomware penetrations. These include user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with machine learning capabilities to automatically detect and extinguish zero-day cyber attacks. Progent in addition can provide the assistance of seasoned ransomware recovery engineers with the skills and commitment to re-deploy a breached environment as rapidly as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will respond with the codes to decrypt all your data. Kaspersky estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the critical parts of your IT environment. Without access to full data backups, this requires a broad range of skill sets, professional project management, and the willingness to work 24x7 until the task is over.

For twenty years, Progent has offered expert Information Technology services for companies in Los Angeles and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience affords Progent the ability to knowledgably ascertain important systems and re-organize the surviving pieces of your Information Technology environment following a crypto-ransomware event and configure them into an operational network.

Progent's ransomware team uses top notch project management tools to coordinate the complex recovery process. Progent knows the importance of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to get the most important systems back on line as soon as humanly possible.

Case Study: A Successful Ransomware Virus Recovery
A client sought out Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, possibly adopting approaches leaked from Americaís NSA organization. Ryuk attacks specific companies with limited room for operational disruption and is among the most profitable instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with around 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the attack and were encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.


"I cannot tell you enough about the expertise Progent provided us during the most stressful time of (our) companyís life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group gave us. That you were able to get our e-mail system and essential applications back on-line sooner than 1 week was incredible. Every single expert I talked with or messaged at Progent was absolutely committed on getting us operational and was working 24 by 7 on our behalf."

Progent worked together with the client to quickly get our arms around and prioritize the most important services that needed to be recovered to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To start, Progent followed ransomware event response industry best practices by halting lateral movement and clearing infected systems. Progent then began the work of bringing back online Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís accounting and MRP applications utilized Microsoft SQL, which needs Active Directory for security authorization to the data.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then assisted with setup and storage recovery on needed servers. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Off-Line Folder Files) on team PCs in order to recover email data. A not too old off-line backup of the customerís accounting systems made them able to recover these essential programs back online for users. Although a large amount of work was left to recover completely from the Ryuk attack, essential services were recovered quickly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer sales."

Throughout the next few weeks important milestones in the restoration process were completed in tight collaboration between Progent engineers and the client:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Server containing more than 4 million historical messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control functions were 100% operational.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the desktops and laptops were operational.

"So much of what occurred in the early hours is mostly a haze for me, but we will not forget the dedication all of the team accomplished to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This event was a stunning achievement."

Conclusion
A probable company-ending catastrophe was evaded with top-tier experts, a wide array of subject matter expertise, and tight teamwork. Although upon completion of forensics the crypto-ransomware attack detailed here would have been disabled with up-to-date cyber security technology and recognized best practices, staff education, and well designed security procedures for information backup and proper patching controls, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thanks very much for making it so I could get rested after we made it through the initial fire. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Los Angeles a range of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely escape traditional signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the entire malware attack lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables fast restoration of critical files, apps and virtual machines that have become unavailable or corrupted as a result of component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based management and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their networking appliances like switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are always current, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating devices that require important updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating at peak levels by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT personnel and your Progent consultant so that all looming issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to a different hardware environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Los Angeles 24/7/365 Crypto Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.