Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an existential danger for businesses poorly prepared for an attack. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for years and still cause damage. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional as yet unnamed viruses, not only encrypt on-line critical data but also infiltrate any configured system protection mechanisms. Information replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can make any restore operations impossible and effectively knocks the network back to zero.

Getting back on-line applications and data after a ransomware event becomes a sprint against time as the targeted organization struggles to contain and eradicate the virus and to restore mission-critical activity. Because crypto-ransomware needs time to spread, assaults are frequently sprung at night, when penetrations typically take more time to identify. This compounds the difficulty of promptly assembling and coordinating an experienced mitigation team.

Progent offers a variety of solutions for protecting businesses from crypto-ransomware penetrations. These include team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with machine learning technology to intelligently discover and disable new cyber threats. Progent also offers the assistance of seasoned ransomware recovery consultants with the skills and perseverance to reconstruct a compromised network as soon as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decrypt any or all of your files. Kaspersky determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the key parts of your IT environment. Without the availability of essential information backups, this calls for a broad range of skill sets, professional project management, and the ability to work non-stop until the job is complete.

For decades, Progent has offered professional Information Technology services for companies in Oakland and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the capability to knowledgably ascertain important systems and consolidate the surviving parts of your IT environment after a ransomware penetration and rebuild them into an operational network.

Progent's recovery team deploys best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the importance of working rapidly and in unison with a customerís management and IT resources to prioritize tasks and to get essential systems back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Penetration Response
A business escalated to Progent after their network was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state sponsored criminal gangs, possibly adopting approaches exposed from Americaís National Security Agency. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is one of the most profitable examples of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200,000) and praying for good luck, but ultimately made the decision to use Progent.


"I canít say enough about the expertise Progent gave us throughout the most critical period of (our) companyís life. We had little choice but to pay the hackers behind this attack except for the confidence the Progent group afforded us. That you could get our e-mail and essential applications back into operation in less than seven days was something I thought impossible. Every single expert I talked with or communicated with at Progent was hell bent on getting my company operational and was working day and night to bail us out."

Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the most important areas that had to be recovered to make it possible to restart departmental operations:

  • Windows Active Directory
  • Electronic Messaging
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes penetration response best practices by halting the spread and disinfecting systems. Progent then began the work of rebuilding Microsoft Active Directory, the heart of enterprise networks built on Microsoft technology. Exchange messaging will not function without Active Directory, and the client's financials and MRP applications leveraged SQL Server, which needs Active Directory services for security authorization to the database.

Within 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery of the most important systems. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Folder Files) on various desktop computers to recover mail messages. A not too old off-line backup of the businesses financials/ERP software made it possible to recover these required services back servicing users. Although a large amount of work was left to recover totally from the Ryuk event, critical systems were recovered quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer orders."

Over the next couple of weeks key milestones in the recovery project were made in tight collaboration between Progent team members and the customer:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the desktop computers were being used by staff.

"A lot of what went on in the initial days is nearly entirely a haze for me, but my team will not forget the care each and every one of your team put in to give us our company back. Iíve been working together with Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This event was the most impressive ever."

Conclusion
A likely business-killing catastrophe was dodged through the efforts of results-oriented professionals, a wide array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus penetration detailed here should have been identified and blocked with up-to-date security systems and ISO/IEC 27001 best practices, user education, and properly executed incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get rested after we made it over the first week. All of you did an impressive job, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Oakland a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to detect zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to address the complete threat lifecycle including protection, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you prove compliance with government and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and allows rapid recovery of critical data, applications and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, when necessary, can help you to restore your business-critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver web-based control and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further layer of analysis for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, reconfigure and troubleshoot their networking appliances such as routers, firewalls, and access points as well as servers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network maps are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding appliances that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system running efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management personnel and your assigned Progent engineering consultant so that any potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can save up to 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Oakland 24/7 Ransomware Cleanup Support Services, call Progent at 800-462-8800 or go to Contact Progent.