Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause harm. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent unnamed malware, not only do encryption of online files but also infiltrate all accessible system backups. Information synched to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, this can render any restore operations useless and effectively sets the datacenter back to zero.

Getting back services and data following a ransomware outage becomes a race against time as the targeted organization fights to stop the spread and remove the virus and to restore mission-critical operations. Because ransomware needs time to move laterally, attacks are frequently sprung at night, when penetrations in many cases take more time to recognize. This compounds the difficulty of promptly assembling and organizing an experienced mitigation team.

Progent provides a range of services for protecting businesses from crypto-ransomware penetrations. Among these are team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with AI capabilities to intelligently discover and quarantine zero-day cyber threats. Progent in addition offers the assistance of veteran ransomware recovery professionals with the skills and commitment to rebuild a breached environment as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the keys to decrypt all your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the essential components of your Information Technology environment. Without access to full data backups, this requires a broad complement of IT skills, professional project management, and the ability to work continuously until the job is done.

For decades, Progent has provided expert IT services for companies in Mission Viejo and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the skills to quickly ascertain necessary systems and organize the surviving parts of your Information Technology environment following a ransomware attack and rebuild them into an operational system.

Progent's security group has best of breed project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and in unison with a client's management and IT team members to prioritize tasks and to put essential applications back online as soon as humanly possible.

Customer Case Study: A Successful Ransomware Incident Recovery
A business engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, suspected of adopting technology exposed from the U.S. National Security Agency. Ryuk targets specific companies with little or no ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area and has about 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for the best, but in the end brought in Progent.


"I canít say enough in regards to the care Progent provided us during the most stressful time of (our) businesses life. We would have paid the cyber criminals behind the attack except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and key applications back sooner than five days was amazing. Every single expert I talked with or communicated with at Progent was absolutely committed on getting us working again and was working day and night on our behalf."

Progent worked hand in hand the client to rapidly determine and prioritize the most important systems that had to be restored to make it possible to restart business operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To get going, Progent adhered to AV/Malware Processes event mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then started the work of restoring Microsoft AD, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the businessesí MRP software utilized SQL Server, which needs Windows AD for access to the information.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery on critical systems. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on team workstations and laptops to recover mail messages. A recent offline backup of the customerís accounting/MRP systems made them able to return these required programs back available to users. Although significant work was left to recover completely from the Ryuk attack, critical systems were restored quickly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer shipments."

During the following couple of weeks key milestones in the recovery process were accomplished in close collaboration between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over four million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory functions were 100% functional.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the desktops and laptops were fully operational.

"A lot of what happened in the early hours is mostly a blur for me, but our team will not forget the urgency each of your team accomplished to give us our company back. Iíve entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A probable business catastrophe was averted due to hard-working professionals, a wide array of technical expertise, and tight teamwork. Although in retrospect the ransomware attack described here should have been prevented with current cyber security solutions and security best practices, user training, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's team of professionals has extensive experience in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get rested after we got over the first week. All of you did an amazing effort, and if any of your team is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Mission Viejo a portfolio of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include modern artificial intelligence technology to detect new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to manage the complete malware attack progression including protection, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent managed from a unified console. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of critical files, applications and virtual machines that have become lost or damaged as a result of hardware failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup specialists can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to deliver web-based control and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding appliances that require important updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your Progent engineering consultant so all potential problems can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Read more about ProSight IT Asset Management service.
For Mission Viejo 24/7/365 CryptoLocker Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.