Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that presents an extinction-level threat for businesses of all sizes unprepared for an assault. Different versions of ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for years and continue to cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus frequent as yet unnamed viruses, not only do encryption of on-line data but also infiltrate many accessible system backup. Files synched to the cloud can also be rendered useless. In a poorly designed data protection solution, it can render automatic restoration useless and basically sets the entire system back to square one.

Recovering programs and data after a ransomware intrusion becomes a race against time as the targeted business fights to contain the damage and remove the crypto-ransomware and to resume business-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are often launched on weekends, when attacks tend to take more time to detect. This multiplies the difficulty of rapidly mobilizing and organizing a qualified mitigation team.

Progent offers an assortment of support services for protecting organizations from ransomware penetrations. These include team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security gateways with machine learning capabilities to intelligently identify and suppress new threats. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the track record and perseverance to restore a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the needed keys to unencrypt all your information. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the vital parts of your IT environment. Without the availability of full information backups, this requires a broad complement of skill sets, well-coordinated project management, and the ability to work continuously until the recovery project is completed.

For decades, Progent has offered professional Information Technology services for companies in Guarulhos and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise gives Progent the ability to rapidly understand important systems and consolidate the remaining components of your IT system after a crypto-ransomware penetration and configure them into a functioning network.

Progent's recovery team deploys state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the urgency of working quickly and in unison with a client's management and IT resources to assign priority to tasks and to get the most important services back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Recovery
A small business contacted Progent after their company was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly using approaches exposed from America’s National Security Agency. Ryuk targets specific organizations with little tolerance for disruption and is one of the most lucrative incarnations of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with about 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but in the end engaged Progent.


"I cannot say enough in regards to the care Progent gave us throughout the most critical period of (our) businesses existence. We most likely would have paid the hackers behind this attack except for the confidence the Progent team gave us. That you could get our e-mail system and critical servers back on-line in less than five days was something I thought impossible. Each consultant I spoke to or messaged at Progent was amazingly focused on getting us restored and was working all day and night to bail us out."

Progent worked hand in hand the customer to quickly assess and prioritize the most important systems that needed to be restored to make it possible to resume departmental functions:

  • Microsoft Active Directory
  • Exchange Server
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident response industry best practices by isolating and performing virus removal steps. Progent then initiated the work of rebuilding Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not operate without Windows AD, and the customer’s MRP system used SQL Server, which depends on Active Directory for authentication to the databases.

In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery on mission critical applications. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Offline Data Files) on various PCs and laptops in order to recover email messages. A not too old off-line backup of the businesses manufacturing software made it possible to restore these essential services back online for users. Although significant work remained to recover fully from the Ryuk damage, the most important systems were restored quickly:


"For the most part, the production operation never missed a beat and we did not miss any customer shipments."

During the following few weeks key milestones in the restoration project were completed in close cooperation between Progent engineers and the client:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Server with over four million historical emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user workstations were back into operation.

"So much of what went on in the initial days is mostly a blur for me, but we will not soon forget the care all of you accomplished to help get our company back. I have utilized Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A potential business catastrophe was dodged by hard-working professionals, a wide spectrum of IT skills, and tight teamwork. Although upon completion of forensics the ransomware penetration detailed here would have been disabled with advanced cyber security systems and recognized best practices, team training, and well thought out incident response procedures for data backup and applying software patches, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of experts has substantial experience in crypto-ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we made it over the initial push. All of you did an amazing effort, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Guarulhos a range of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize next-generation machine learning technology to uncover new strains of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that allows you prove compliance with government and industry data security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates and monitors your backup processes and enables rapid restoration of critical data, apps and virtual machines that have become lost or corrupted due to component failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can deliver world-class support to configure ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, when needed, can assist you to restore your business-critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver centralized management and world-class security for all your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and access points as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating appliances that need important updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to help keep your network running at peak levels by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT staff and your Progent consultant so that any potential problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you’re planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24x7 Guarulhos CryptoLocker Remediation Consulting, call Progent at 800-993-9400 or go to Contact Progent.