Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses of all sizes vulnerable to an attack. Different versions of ransomware like the Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause damage. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as frequent unnamed viruses, not only encrypt on-line information but also infect any configured system protection. Files replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, this can render any restore operations hopeless and effectively sets the network back to zero.

Retrieving applications and information following a crypto-ransomware outage becomes a sprint against time as the victim fights to stop lateral movement and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to spread, penetrations are usually launched during weekends and nights, when penetrations may take more time to uncover. This compounds the difficulty of rapidly mobilizing and organizing a knowledgeable response team.

Progent has an assortment of services for securing enterprises from ransomware penetrations. Among these are team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with machine learning technology to quickly detect and suppress zero-day threats. Progent also offers the assistance of veteran ransomware recovery consultants with the talent and perseverance to re-deploy a breached network as urgently as possible.

Progent's Ransomware Restoration Services
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the codes to unencrypt any of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the vital components of your IT environment. Without access to full information backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work continuously until the recovery project is completed.

For twenty years, Progent has provided certified expert IT services for businesses in Pasadena and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience gives Progent the capability to efficiently identify necessary systems and consolidate the surviving pieces of your computer network system after a crypto-ransomware event and assemble them into a functioning network.

Progent's recovery team of experts has top notch project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and IT staff to assign priority to tasks and to put key services back online as soon as humanly possible.

Client Story: A Successful Ransomware Attack Restoration
A client engaged Progent after their company was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored hackers, possibly using techniques leaked from Americaís National Security Agency. Ryuk goes after specific businesses with little room for disruption and is one of the most lucrative incarnations of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with around 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's data protection had been online at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and praying for the best, but in the end utilized Progent.


"I cannot speak enough about the support Progent provided us during the most stressful period of (our) businesses existence. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our messaging and important servers back online in less than one week was amazing. Each consultant I worked with or e-mailed at Progent was laser focused on getting our system up and was working 24/7 to bail us out."

Progent worked hand in hand the client to rapidly determine and assign priority to the essential applications that had to be recovered in order to resume company operations:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To get going, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the work of rebuilding Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange email will not operate without AD, and the customerís financials and MRP software leveraged Microsoft SQL, which requires Active Directory services for authentication to the database.

Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform setup and storage recovery on mission critical systems. All Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Outlook Offline Data Files) on staff PCs and laptops in order to recover mail messages. A not too old off-line backup of the customerís financials/MRP software made them able to restore these essential services back on-line. Although a lot of work was left to recover totally from the Ryuk damage, core services were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we made all customer orders."

Over the following few weeks critical milestones in the restoration process were completed in close cooperation between Progent team members and the client:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Server containing more than 4 million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory Control capabilities were 100% functional.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the user PCs were back into operation.

"A huge amount of what occurred in the early hours is mostly a fog for me, but we will not soon forget the urgency all of the team accomplished to help get our company back. Iíve utilized Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A probable business-killing disaster was dodged with dedicated experts, a broad range of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware attack described here would have been identified and stopped with modern security technology solutions and security best practices, user and IT administrator education, and well designed incident response procedures for information backup and proper patching controls, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has proven experience in crypto-ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), Iím grateful for letting me get rested after we made it past the initial fire. Everyone did an fabulous effort, and if anyone is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Pasadena a variety of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to uncover new strains of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the entire threat progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates your backup activities and enables fast restoration of vital data, applications and VMs that have become unavailable or corrupted due to hardware failures, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide web-based control and comprehensive protection for your email traffic. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of analysis for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and load balancers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, locating appliances that need critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT personnel and your Progent engineering consultant so that any potential problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Pasadena Crypto Remediation Experts, contact Progent at 800-993-9400 or go to Contact Progent.