Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. Newer versions of ransomware such as Ryuk and Hermes, as well as more unnamed malware, not only do encryption of on-line data files but also infiltrate most accessible system restores and backups. Information synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can render automatic restoration hopeless and effectively knocks the datacenter back to square one.

Getting back on-line services and information following a ransomware attack becomes a sprint against the clock as the targeted business struggles to stop the spread and remove the crypto-ransomware and to restore business-critical activity. Since crypto-ransomware needs time to spread, assaults are usually launched during nights and weekends, when attacks typically take longer to notice. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent offers an assortment of support services for protecting organizations from crypto-ransomware penetrations. These include user education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security appliances with artificial intelligence capabilities to quickly detect and disable new cyber threats. Progent in addition can provide the services of seasoned ransomware recovery engineers with the talent and commitment to rebuild a compromised network as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed keys to unencrypt any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the mission-critical components of your IT environment. Absent the availability of complete data backups, this calls for a wide range of IT skills, well-coordinated project management, and the willingness to work continuously until the task is complete.

For two decades, Progent has made available professional IT services for companies in Seattle and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience gives Progent the ability to knowledgably understand critical systems and organize the surviving components of your computer network system after a ransomware penetration and assemble them into a functioning system.

Progent's ransomware group has state-of-the-art project management systems to orchestrate the complex recovery process. Progent knows the urgency of working rapidly and in unison with a customerís management and IT team members to assign priority to tasks and to get the most important services back on-line as soon as humanly possible.

Customer Story: A Successful Crypto-Ransomware Virus Restoration
A customer engaged Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, possibly using strategies leaked from Americaís National Security Agency. Ryuk attacks specific companies with little room for disruption and is among the most lucrative instances of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk event had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (more than $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot tell you enough about the care Progent provided us during the most stressful time of (our) companyís life. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent group gave us. The fact that you could get our messaging and key servers back online sooner than one week was something I thought impossible. Every single expert I interacted with or e-mailed at Progent was absolutely committed on getting our company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to quickly identify and assign priority to the critical services that needed to be recovered in order to resume business operations:

  • Active Directory (AD)
  • E-Mail
  • Financials/MRP
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then began the task of bringing back online Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the customerís MRP applications used SQL Server, which needs Windows AD for security authorization to the information.

In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and storage recovery on essential systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on staff workstations to recover email information. A not too old offline backup of the customerís accounting systems made it possible to recover these required applications back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk virus, the most important systems were returned to operations quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer sales."

Over the following few weeks important milestones in the restoration project were made in close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100% operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user PCs were back into operation.

"A lot of what transpired that first week is nearly entirely a haze for me, but my team will not forget the care all of you put in to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."

Conclusion
A potential business catastrophe was dodged by hard-working experts, a broad spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware incident detailed here would have been identified and prevented with up-to-date cyber security solutions and security best practices, user and IT administrator education, and properly executed security procedures for data protection and proper patching controls, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for making it so I could get rested after we got past the initial push. All of you did an fabulous effort, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Seattle a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services utilize modern AI technology to detect zero-day variants of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the entire malware attack progression including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also help you to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows fast recovery of critical files, applications and virtual machines that have become lost or corrupted as a result of hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can help you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security vendors to deliver web-based control and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, monitor, enhance and debug their connectivity hardware like switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration of almost all devices on your network, monitors performance, and sends notices when issues are detected. By automating tedious network management processes, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, locating appliances that need important updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Seattle Ransomware Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.