Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that presents an enterprise-level danger for businesses unprepared for an assault. Multiple generations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict havoc. More recent variants of ransomware like Ryuk and Hermes, along with more as yet unnamed malware, not only encrypt online data files but also infect any accessible system protection. Information synched to cloud environments can also be corrupted. In a vulnerable system, this can make automatic restoration impossible and effectively sets the entire system back to square one.

Recovering applications and data after a crypto-ransomware event becomes a sprint against time as the targeted business tries its best to stop the spread and remove the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware needs time to replicate, assaults are frequently launched during nights and weekends, when successful penetrations may take longer to discover. This compounds the difficulty of quickly assembling and organizing an experienced mitigation team.

Progent offers a range of services for protecting businesses from crypto-ransomware events. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with machine learning technology to automatically discover and suppress day-zero cyber attacks. Progent in addition provides the services of seasoned ransomware recovery consultants with the track record and perseverance to re-deploy a breached environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to decrypt any or all of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the mission-critical components of your Information Technology environment. Absent the availability of full system backups, this requires a broad range of skills, top notch team management, and the ability to work continuously until the job is complete.

For twenty years, Progent has made available expert IT services for companies in Oakland and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the ability to rapidly ascertain critical systems and re-organize the remaining parts of your network system following a ransomware penetration and assemble them into an operational system.

Progent's ransomware team of experts uses state-of-the-art project management applications to orchestrate the complicated restoration process. Progent knows the importance of working quickly and in concert with a client's management and IT team members to assign priority to tasks and to get key services back on line as soon as possible.

Case Study: A Successful Ransomware Intrusion Recovery
A client escalated to Progent after their network system was crashed by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean state cybercriminals, suspected of adopting techniques exposed from the United States National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is among the most profitable instances of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with about 500 employees. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but ultimately called Progent.


"I cannot speak enough in regards to the expertise Progent provided us during the most critical period of (our) businesses life. We most likely would have paid the cybercriminals if not for the confidence the Progent group provided us. That you were able to get our messaging and critical applications back in less than five days was earth shattering. Every single expert I worked with or messaged at Progent was hell bent on getting us back online and was working non-stop to bail us out."

Progent worked hand in hand the client to rapidly assess and assign priority to the essential systems that had to be addressed to make it possible to resume departmental functions:

  • Active Directory
  • Email
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident mitigation best practices by isolating and cleaning up infected systems. Progent then began the work of recovering Microsoft AD, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the businessesí financials and MRP software utilized Microsoft SQL Server, which requires Windows AD for access to the information.

Within 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then accomplished setup and storage recovery of needed systems. All Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to find intact OST data files (Outlook Email Off-Line Data Files) on team desktop computers to recover email messages. A not too old off-line backup of the client's accounting/MRP systems made it possible to recover these essential services back servicing users. Although significant work needed to be completed to recover completely from the Ryuk damage, core systems were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer deliverables."

Throughout the next month important milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Exchange Server with over four million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/AP/AR/Inventory Control capabilities were fully restored.
  • A new Palo Alto 850 firewall was set up.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what transpired that first week is mostly a haze for me, but my management will not soon forget the care each and every one of you accomplished to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."

Conclusion
A potential business disaster was dodged due to hard-working experts, a wide range of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here could have been identified and stopped with up-to-date cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), Iím grateful for letting me get some sleep after we got past the initial fire. All of you did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Oakland a portfolio of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover new variants of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including protection, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also assist you to install and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates your backup activities and allows fast recovery of vital data, apps and virtual machines that have become unavailable or corrupted due to component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPPA, FIRPA, and PCI and, whenever needed, can assist you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid structure of Email Guard integrates cloud-based filtering with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, reconfigure and debug their networking hardware like switches, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that need important updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management personnel and your Progent consultant so that all potential issues can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 Oakland Crypto Repair Services, reach out to Progent at 800-993-9400 or go to Contact Progent.