Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyberplague that represents an existential threat for organizations vulnerable to an attack. Different iterations of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict destruction. Recent strains of crypto-ransomware like Ryuk and Hermes, plus frequent as yet unnamed newcomers, not only encrypt on-line information but also infiltrate any accessible system restores and backups. Data synchronized to cloud environments can also be encrypted. In a poorly architected data protection solution, it can make automated recovery hopeless and basically sets the network back to square one.

Getting back online programs and information after a ransomware outage becomes a race against the clock as the victim tries its best to stop lateral movement and clear the ransomware and to restore mission-critical activity. Because crypto-ransomware requires time to replicate, attacks are frequently sprung at night, when successful penetrations in many cases take more time to notice. This multiplies the difficulty of rapidly assembling and coordinating a capable mitigation team.

Progent offers a range of help services for securing organizations from ransomware events. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with machine learning technology to automatically discover and suppress day-zero cyber threats. Progent in addition offers the assistance of expert ransomware recovery engineers with the talent and perseverance to rebuild a breached environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that distant criminals will respond with the keys to decipher all your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the essential components of your Information Technology environment. Absent the availability of essential data backups, this requires a wide complement of skills, well-coordinated team management, and the ability to work continuously until the task is over.

For decades, Progent has made available expert IT services for companies in Mission Viejo and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of experience affords Progent the skills to efficiently determine important systems and re-organize the remaining pieces of your Information Technology environment following a ransomware event and rebuild them into an operational network.

Progent's security team uses top notch project management applications to orchestrate the complex recovery process. Progent knows the urgency of acting quickly and together with a client's management and IT staff to assign priority to tasks and to get key systems back on-line as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Virus Response
A client hired Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored hackers, suspected of using technology leaked from the United States NSA organization. Ryuk goes after specific organizations with limited ability to sustain disruption and is among the most lucrative instances of ransomware viruses. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has around 500 workers. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the attack and were destroyed. The client considered paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but ultimately called Progent.


"I cannot speak enough about the care Progent provided us during the most stressful time of (our) businesses life. We most likely would have paid the cybercriminals if not for the confidence the Progent team provided us. That you could get our messaging and important applications back on-line quicker than 1 week was incredible. Every single staff member I got help from or texted at Progent was urgently focused on getting our system up and was working 24 by 7 on our behalf."

Progent worked with the client to rapidly identify and prioritize the critical areas that had to be restored in order to resume company operations:

  • Microsoft Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event response best practices by isolating and clearing up compromised systems. Progent then began the task of bringing back online Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customerís MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the data.

Within two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then performed rebuilding and hard drive recovery of key applications. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on user PCs and laptops in order to recover mail messages. A recent offline backup of the client's manufacturing software made them able to return these required services back online for users. Although major work remained to recover completely from the Ryuk event, core services were returned to operations rapidly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."

During the next few weeks important milestones in the restoration project were accomplished in close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control capabilities were 100% restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user desktops were being used by staff.

"A lot of what happened that first week is nearly entirely a fog for me, but I will not soon forget the commitment all of you accomplished to help get our business back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."

Conclusion
A potential business-ending catastrophe was averted with hard-working professionals, a broad range of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware incident detailed here would have been identified and prevented with current cyber security technology solutions and security best practices, user and IT administrator education, and well thought out security procedures for backup and applying software patches, the fact is that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for letting me get some sleep after we got past the initial push. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Mission Viejo a portfolio of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning capability to detect new variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior analysis tools to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools packaged within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. For a low monthly cost, ProSight DPS automates your backup processes and enables fast recovery of vital data, applications and VMs that have become unavailable or corrupted due to hardware failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery consultants can provide world-class support to configure ProSight DPS to be compliant with government and industry regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide web-based control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with a local gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map, track, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating appliances that need critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can eliminate up to half of time spent looking for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Mission Viejo Crypto Repair Help, reach out to Progent at 800-993-9400 or go to Contact Progent.