Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an enterprise-level danger for businesses unprepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to cause havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with frequent as yet unnamed newcomers, not only do encryption of on-line files but also infect most configured system backup. Information synched to cloud environments can also be ransomed. In a poorly designed environment, this can make any recovery useless and basically sets the entire system back to square one.

Restoring programs and information following a ransomware event becomes a race against the clock as the targeted organization struggles to stop the spread and remove the crypto-ransomware and to resume enterprise-critical activity. Since crypto-ransomware requires time to spread, attacks are often launched at night, when successful penetrations typically take longer to identify. This compounds the difficulty of rapidly assembling and coordinating an experienced response team.

Progent provides a variety of help services for protecting enterprises from crypto-ransomware events. These include user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning capabilities to rapidly discover and quarantine zero-day cyber attacks. Progent also provides the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to rebuild a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the needed codes to decrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the critical elements of your IT environment. Without the availability of full system backups, this requires a broad complement of skill sets, professional project management, and the willingness to work non-stop until the task is over.

For decades, Progent has made available professional Information Technology services for companies in Salinas and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise affords Progent the ability to rapidly identify necessary systems and consolidate the surviving pieces of your IT environment after a crypto-ransomware attack and assemble them into an operational system.

Progent's ransomware group has top notch project management systems to coordinate the complex recovery process. Progent appreciates the importance of working rapidly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put key systems back on-line as fast as possible.

Client Story: A Successful Ransomware Penetration Restoration
A client hired Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, possibly using techniques leaked from Americaís National Security Agency. Ryuk goes after specific businesses with little or no tolerance for disruption and is among the most profitable versions of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with around 500 workers. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom (more than two hundred thousand dollars) and hoping for the best, but ultimately utilized Progent.


"I canít say enough about the care Progent provided us during the most stressful time of (our) companyís survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent team provided us. That you were able to get our messaging and key servers back into operation in less than seven days was beyond my wildest dreams. Each person I interacted with or texted at Progent was absolutely committed on getting us working again and was working breakneck pace on our behalf."

Progent worked with the client to quickly identify and prioritize the key services that needed to be recovered to make it possible to resume business operations:

  • Active Directory
  • Microsoft Exchange Server
  • MRP System
To start, Progent followed ransomware penetration mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then began the steps of restoring Microsoft AD, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange email will not function without AD, and the businessesí financials and MRP software utilized Microsoft SQL, which depends on Active Directory services for authentication to the database.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of key servers. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on team workstations in order to recover email messages. A recent off-line backup of the customerís accounting/ERP systems made it possible to recover these vital services back online for users. Although significant work still had to be done to recover fully from the Ryuk damage, core systems were restored rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer orders."

Over the following few weeks key milestones in the recovery project were made in tight cooperation between Progent consultants and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were fully functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • 90% of the user desktops were operational.

"A lot of what was accomplished in the early hours is mostly a fog for me, but I will not forget the urgency each and every one of the team put in to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was a stunning achievement."

Conclusion
A probable business-killing disaster was avoided with top-tier professionals, a wide range of technical expertise, and close collaboration. Although in retrospect the crypto-ransomware virus incident described here could have been identified and prevented with modern cyber security technology and best practices, user education, and properly executed security procedures for data backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thank you for allowing me to get rested after we got over the first week. Everyone did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Salinas a portfolio of remote monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services incorporate modern machine learning technology to uncover new variants of crypto-ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to manage the entire malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified control. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables fast recovery of vital data, apps and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR specialists can provide advanced expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to deliver web-based control and comprehensive security for all your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and debug their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming network management activities, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that need critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your IT system running efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT personnel and your Progent consultant so all looming issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to a different hosting environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Salinas CryptoLocker Recovery Experts, contact Progent at 800-462-8800 or go to Contact Progent.