Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that represents an extinction-level threat for organizations poorly prepared for an attack. Different versions of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more unnamed malware, not only do encryption of on-line information but also infiltrate most available system backups. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make automated recovery useless and effectively knocks the network back to square one.

Getting back services and data following a ransomware outage becomes a sprint against the clock as the targeted business struggles to stop the spread and cleanup the virus and to restore enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, attacks are usually sprung on weekends, when penetrations tend to take longer to detect. This multiplies the difficulty of promptly mobilizing and organizing an experienced response team.

Progent offers an assortment of help services for securing organizations from ransomware attacks. Among these are staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with machine learning technology to automatically discover and quarantine new cyber threats. Progent also provides the services of expert ransomware recovery consultants with the talent and perseverance to rebuild a compromised network as rapidly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not ensure that distant criminals will return the needed codes to unencrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the critical components of your IT environment. Without the availability of complete data backups, this calls for a wide complement of IT skills, professional team management, and the capability to work non-stop until the job is over.

For twenty years, Progent has made available professional IT services for businesses in Vacaville and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience affords Progent the skills to knowledgably understand important systems and organize the surviving parts of your Information Technology environment following a ransomware penetration and configure them into a functioning system.

Progent's security group has best of breed project management applications to coordinate the complicated restoration process. Progent appreciates the importance of working quickly and in unison with a client's management and IT resources to prioritize tasks and to get essential services back online as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Attack Response
A customer engaged Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state cybercriminals, suspected of adopting techniques leaked from the United States National Security Agency. Ryuk targets specific companies with limited tolerance for disruption and is one of the most lucrative iterations of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago with about 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the attack and were destroyed. The client considered paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately utilized Progent.


"I cannot thank you enough in regards to the expertise Progent gave us during the most fearful time of (our) companyís life. We would have paid the cyber criminals if not for the confidence the Progent group gave us. That you were able to get our e-mail system and critical servers back into operation quicker than five days was beyond my wildest dreams. Each expert I talked with or communicated with at Progent was laser focused on getting our company operational and was working all day and night to bail us out."

Progent worked with the client to rapidly understand and prioritize the critical areas that had to be addressed in order to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to ransomware penetration response industry best practices by halting the spread and disinfecting systems. Progent then initiated the task of restoring Windows Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the client's MRP system utilized SQL Server, which depends on Active Directory services for access to the database.

In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then initiated setup and storage recovery on critical systems. All Exchange data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble intact OST data files (Outlook Off-Line Data Files) on various desktop computers and laptops to recover mail messages. A not too old off-line backup of the customerís accounting/MRP systems made it possible to recover these required services back online. Although a lot of work still had to be done to recover totally from the Ryuk attack, the most important systems were recovered quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer deliverables."

Over the next couple of weeks key milestones in the recovery project were made in tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were completely operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Ninety percent of the user desktops were functioning as before the incident.

"A lot of what went on during the initial response is mostly a blur for me, but my management will not forget the countless hours all of you accomplished to give us our company back. Iíve entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This event was a life saver."

Conclusion
A likely business-killing disaster was averted due to hard-working professionals, a broad array of subject matter expertise, and close teamwork. Although in post mortem the ransomware attack detailed here would have been identified and disabled with advanced cyber security systems and recognized best practices, team training, and appropriate security procedures for data protection and applying software patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for allowing me to get rested after we got over the initial fire. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Vacaville a variety of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to manage the complete malware attack progression including blocking, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require immediate action. Progent can also assist your company to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a family of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and enable transparent backup and rapid restoration of critical files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to deliver centralized control and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating complex network management activities, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, finding devices that require important software patches, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT management personnel and your Progent engineering consultant so that all looming problems can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning technology to defend endpoints and servers and VMs against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Center: Call Center Managed Services
    Progent's Support Center services permit your IT staff to offload Help Desk services to Progent or divide activity for Help Desk services seamlessly between your internal support staff and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent extension of your in-house IT support resources. Client access to the Help Desk, delivery of support services, issue escalation, ticket creation and updates, efficiency metrics, and maintenance of the service database are consistent whether issues are resolved by your corporate support resources, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a versatile and affordable solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. In addition to optimizing the security and reliability of your computer network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business initiatives and tasks that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a secured application and enter your password you are asked to confirm your identity on a device that only you have and that is accessed using a separate network channel. A broad selection of out-of-band devices can be used for this second means of ID validation including a smartphone or watch, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For more information about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.
For 24-Hour Vacaville CryptoLocker Remediation Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.