Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still cause harm. Recent versions of crypto-ransomware like Ryuk and Hermes, along with daily as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate many configured system protection mechanisms. Information synched to cloud environments can also be corrupted. In a poorly designed data protection solution, it can render automatic restoration hopeless and basically sets the datacenter back to zero.

Getting back applications and data after a crypto-ransomware attack becomes a race against time as the targeted organization tries its best to contain and cleanup the ransomware and to restore enterprise-critical activity. Since crypto-ransomware takes time to replicate, assaults are often launched during nights and weekends, when attacks in many cases take longer to identify. This compounds the difficulty of rapidly mobilizing and coordinating a knowledgeable mitigation team.

Progent makes available a variety of services for protecting organizations from ransomware attacks. Among these are team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with AI technology to rapidly discover and suppress new threats. Progent also provides the assistance of expert ransomware recovery professionals with the skills and commitment to re-deploy a compromised system as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decrypt all your files. Kaspersky determined that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the key elements of your IT environment. Absent access to essential data backups, this requires a broad range of skill sets, well-coordinated team management, and the ability to work 24x7 until the job is finished.

For twenty years, Progent has made available professional IT services for companies in Vacaville and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience gives Progent the ability to quickly determine necessary systems and consolidate the surviving pieces of your network environment after a crypto-ransomware event and assemble them into an operational system.

Progent's recovery group deploys top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the urgency of working swiftly and together with a customerís management and Information Technology resources to prioritize tasks and to get essential services back on line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Intrusion Response
A business hired Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state hackers, suspected of using algorithms leaked from Americaís NSA organization. Ryuk attacks specific companies with little tolerance for operational disruption and is one of the most profitable versions of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with around 500 workers. The Ryuk attack had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the attack and were encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but ultimately utilized Progent.


"I cannot speak enough in regards to the expertise Progent gave us throughout the most fearful period of (our) companyís survival. We would have paid the cyber criminals behind the attack if not for the confidence the Progent experts provided us. The fact that you were able to get our messaging and critical servers back on-line quicker than one week was incredible. Every single person I worked with or e-mailed at Progent was hell bent on getting us back online and was working 24 by 7 on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and assign priority to the most important systems that had to be recovered in order to restart departmental operations:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To begin, Progent followed ransomware penetration mitigation industry best practices by halting lateral movement and disinfecting systems. Progent then began the steps of bringing back online Windows Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the customerís MRP applications used Microsoft SQL Server, which requires Active Directory services for authentication to the database.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery on mission critical servers. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Off-Line Data Files) on team desktop computers in order to recover email data. A not too old offline backup of the businesses accounting/ERP software made them able to return these vital programs back servicing users. Although a lot of work was left to recover fully from the Ryuk attack, critical services were recovered rapidly:


"For the most part, the assembly line operation was never shut down and we made all customer shipments."

During the next month key milestones in the recovery process were completed through close collaboration between Progent consultants and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Exchange Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were fully functional.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the desktop computers were fully operational.

"A huge amount of what happened in the early hours is nearly entirely a haze for me, but our team will not soon forget the urgency each of your team accomplished to help get our business back. Iíve been working with Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A possible business-killing catastrophe was evaded by results-oriented professionals, a broad range of IT skills, and tight teamwork. Although in retrospect the ransomware virus attack detailed here could have been identified and blocked with current cyber security technology solutions and ISO/IEC 27001 best practices, staff training, and properly executed security procedures for information protection and proper patching controls, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thanks very much for allowing me to get some sleep after we made it through the initial fire. All of you did an impressive job, and if any of your team is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Vacaville a range of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services include modern machine learning technology to uncover zero-day variants of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-based AV products. ProSight ASM safeguards local and cloud resources and offers a unified platform to automate the entire threat progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your company's unique needs and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent can also assist your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a low monthly rate, ProSight DPS automates your backup activities and enables fast recovery of vital files, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can deliver advanced support to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPPA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to recover your critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based control and world-class protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, reconfigure and debug their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always updated, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that need critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to keep your network running at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent consultant so any looming problems can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Vacaville 24x7x365 Crypto Recovery Experts, call Progent at 800-993-9400 or go to Contact Progent.