Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that poses an enterprise-level danger for businesses of all sizes vulnerable to an assault. Multiple generations of ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still cause havoc. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with additional unnamed malware, not only do encryption of on-line critical data but also infiltrate all available system restores and backups. Information synched to the cloud can also be corrupted. In a poorly architected environment, this can make any restore operations useless and effectively knocks the entire system back to square one.

Recovering programs and data after a ransomware attack becomes a sprint against time as the targeted business tries its best to stop the spread and eradicate the ransomware and to resume business-critical operations. Because ransomware takes time to replicate, assaults are often launched during weekends and nights, when successful penetrations tend to take longer to uncover. This compounds the difficulty of rapidly assembling and coordinating an experienced response team.

Progent has an assortment of help services for securing enterprises from crypto-ransomware penetrations. These include staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with machine learning technology to automatically discover and suppress day-zero cyber attacks. Progent also can provide the assistance of seasoned crypto-ransomware recovery engineers with the track record and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware event, even paying the ransom in cryptocurrency does not ensure that merciless criminals will return the needed keys to decipher any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the mission-critical components of your IT environment. Absent the availability of full system backups, this requires a broad range of skills, top notch team management, and the capability to work non-stop until the recovery project is over.

For decades, Progent has offered expert IT services for businesses in Salinas and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise gives Progent the skills to knowledgably understand necessary systems and consolidate the remaining components of your computer network environment following a ransomware attack and assemble them into a functioning system.

Progent's ransomware team uses state-of-the-art project management applications to coordinate the complex recovery process. Progent knows the urgency of acting quickly and in unison with a customerís management and Information Technology staff to prioritize tasks and to put key systems back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Incident Recovery
A business contacted Progent after their organization was penetrated by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, suspected of using algorithms leaked from Americaís NSA organization. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most profitable examples of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago and has around 500 employees. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the attack and were destroyed. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I canít speak enough about the help Progent provided us during the most stressful time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. That you could get our e-mail system and production servers back on-line in less than a week was something I thought impossible. Each person I worked with or texted at Progent was totally committed on getting our system up and was working all day and night to bail us out."

Progent worked together with the customer to quickly assess and assign priority to the essential systems that had to be restored to make it possible to restart business operations:

  • Windows Active Directory
  • E-Mail
  • MRP System
To get going, Progent adhered to AV/Malware Processes incident response best practices by halting lateral movement and performing virus removal steps. Progent then began the process of recovering Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí MRP software utilized Microsoft SQL, which requires Active Directory for security authorization to the database.

In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then helped perform setup and hard drive recovery on critical servers. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to find local OST files (Outlook Offline Folder Files) on team desktop computers to recover mail information. A recent offline backup of the customerís financials/MRP systems made them able to restore these essential applications back servicing users. Although major work still had to be done to recover fully from the Ryuk virus, core systems were restored quickly:


"For the most part, the assembly line operation never missed a beat and we delivered all customer orders."

Over the next couple of weeks key milestones in the restoration project were achieved in close cooperation between Progent engineers and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the user desktops and notebooks were being used by staff.

"So much of what happened in the initial days is nearly entirely a blur for me, but I will not forget the dedication each and every one of you accomplished to give us our business back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This event was a life saver."

Conclusion
A potential business extinction catastrophe was evaded by dedicated experts, a broad range of subject matter expertise, and close teamwork. Although in retrospect the ransomware virus penetration detailed here would have been shut down with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, user education, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for making it so I could get rested after we made it over the first week. Everyone did an incredible effort, and if anyone is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Salinas a range of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to uncover new strains of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to automate the entire threat progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent attention. Progent can also help you to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly price, ProSight DPS automates your backup activities and allows rapid recovery of critical files, applications and VMs that have become unavailable or damaged as a result of component breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security vendors to deliver centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further level of analysis for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, track, optimize and troubleshoot their connectivity appliances like switches, firewalls, and access points as well as servers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that require critical updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT personnel and your Progent engineering consultant so any looming issues can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Salinas 24/7/365 Crypto-Ransomware Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.