Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an existential danger for organizations poorly prepared for an attack. Multiple generations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict harm. Modern variants of ransomware such as Ryuk and Hermes, as well as additional unnamed newcomers, not only encrypt online data but also infect any configured system restores and backups. Files synchronized to cloud environments can also be ransomed. In a vulnerable system, this can render automatic restoration useless and effectively sets the entire system back to square one.

Recovering applications and information following a ransomware attack becomes a sprint against time as the targeted organization fights to stop the spread and eradicate the ransomware and to restore business-critical activity. Because crypto-ransomware needs time to spread, assaults are usually sprung on weekends, when attacks may take longer to uncover. This compounds the difficulty of promptly marshalling and organizing a capable mitigation team.

Progent has a variety of services for securing businesses from ransomware events. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning technology to intelligently detect and suppress zero-day cyber threats. Progent in addition offers the assistance of veteran crypto-ransomware recovery engineers with the skills and commitment to restore a compromised system as urgently as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to decipher any of your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the essential elements of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide range of skills, well-coordinated team management, and the capability to work 24x7 until the job is over.

For twenty years, Progent has offered professional Information Technology services for companies in Seattle and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience affords Progent the skills to quickly determine important systems and integrate the remaining pieces of your Information Technology system after a ransomware event and assemble them into a functioning network.

Progent's ransomware team of experts uses top notch project management tools to orchestrate the complex restoration process. Progent knows the urgency of acting swiftly and together with a customerís management and IT staff to prioritize tasks and to put critical systems back on-line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Penetration Response
A business hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored cybercriminals, suspected of using approaches leaked from Americaís National Security Agency. Ryuk attacks specific businesses with little room for disruption and is one of the most profitable instances of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has around 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately called Progent.


"I cannot speak enough in regards to the help Progent gave us during the most fearful period of (our) businesses survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you could get our messaging and production applications back in less than 1 week was something I thought impossible. Each consultant I talked with or texted at Progent was totally committed on getting us working again and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the most important elements that needed to be addressed to make it possible to restart departmental functions:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To start, Progent followed AV/Malware Processes penetration response industry best practices by halting lateral movement and clearing infected systems. Progent then began the task of restoring Windows Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange email will not operate without AD, and the businessesí financials and MRP applications leveraged Microsoft SQL, which needs Active Directory for access to the databases.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of key applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Off-Line Folder Files) on team workstations and laptops in order to recover email messages. A not too old off-line backup of the customerís manufacturing software made them able to recover these vital applications back available to users. Although major work still had to be done to recover completely from the Ryuk event, core systems were recovered rapidly:


"For the most part, the manufacturing operation survived unscathed and we made all customer deliverables."

During the next month critical milestones in the restoration project were accomplished in close cooperation between Progent engineers and the customer:

  • In-house web sites were restored with no loss of data.
  • The MailStore Exchange Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control capabilities were 100% functional.
  • A new Palo Alto Networks 850 firewall was set up.
  • Nearly all of the desktops and laptops were functioning as before the incident.

"Much of what transpired that first week is nearly entirely a blur for me, but my management will not forget the countless hours all of the team put in to give us our company back. I have entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A possible enterprise-killing disaster was evaded due to results-oriented experts, a broad array of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here should have been prevented with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we got through the most critical parts. All of you did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Seattle a portfolio of online monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services utilize next-generation machine learning capability to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to automate the entire threat progression including blocking, detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates your backup activities and allows rapid recovery of vital files, applications and VMs that have become unavailable or corrupted due to component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security companies to provide centralized management and world-class protection for all your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the local gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, reconfigure and debug their networking appliances such as routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating devices that need critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so any looming issues can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7/365 Seattle Crypto Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.