Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses poorly prepared for an assault. Versions of ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to cause destruction. Modern variants of crypto-ransomware like Ryuk and Hermes, as well as frequent unnamed newcomers, not only do encryption of online information but also infiltrate most available system backups. Files synchronized to cloud environments can also be rendered useless. In a vulnerable environment, this can render any restoration impossible and effectively knocks the network back to zero.

Getting back programs and information after a ransomware intrusion becomes a sprint against time as the targeted organization fights to stop the spread and cleanup the virus and to restore enterprise-critical activity. Due to the fact that ransomware needs time to spread, assaults are usually sprung on weekends, when successful attacks are likely to take more time to detect. This multiplies the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.

Progent provides a range of support services for protecting businesses from ransomware penetrations. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with AI capabilities to automatically identify and disable zero-day cyber threats. Progent also can provide the assistance of expert ransomware recovery professionals with the talent and commitment to rebuild a compromised network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the codes to unencrypt all your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to setup from scratch the vital parts of your Information Technology environment. Without the availability of essential data backups, this calls for a broad range of skill sets, top notch project management, and the capability to work 24x7 until the recovery project is completed.

For two decades, Progent has offered professional IT services for businesses in Riverside and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience affords Progent the ability to quickly identify necessary systems and consolidate the remaining parts of your IT system following a ransomware attack and assemble them into an operational network.

Progent's ransomware team utilizes best of breed project management tools to coordinate the complicated restoration process. Progent understands the importance of acting quickly and together with a customerís management and Information Technology team members to assign priority to tasks and to get essential applications back online as fast as possible.

Case Study: A Successful Crypto-Ransomware Intrusion Response
A business hired Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, possibly adopting approaches exposed from Americaís National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain disruption and is one of the most profitable iterations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago and has about 500 workers. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately utilized Progent.


"I canít say enough about the care Progent gave us during the most fearful period of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent group gave us. The fact that you could get our e-mail system and production servers back on-line in less than a week was earth shattering. Each expert I got help from or communicated with at Progent was totally committed on getting us working again and was working 24/7 on our behalf."

Progent worked together with the customer to quickly get our arms around and assign priority to the critical areas that needed to be addressed in order to continue departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware event response industry best practices by halting lateral movement and performing virus removal steps. Progent then began the task of recovering Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the client's financials and MRP system used Microsoft SQL Server, which requires Windows AD for authentication to the information.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery on essential applications. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Off-Line Folder Files) on various desktop computers to recover email data. A recent offline backup of the customerís accounting/ERP systems made them able to restore these required programs back on-line. Although major work was left to recover totally from the Ryuk damage, the most important systems were recovered rapidly:


"For the most part, the production line operation was never shut down and we made all customer orders."

Throughout the next month key milestones in the restoration process were completed in close collaboration between Progent consultants and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Server with over four million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the user desktops and notebooks were operational.

"A huge amount of what occurred during the initial response is mostly a fog for me, but our team will not forget the urgency all of you accomplished to help get our company back. Iíve been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was no exception but maybe more Herculean."

Conclusion
A possible business extinction catastrophe was dodged by top-tier experts, a broad array of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware virus attack described here should have been identified and disabled with advanced cyber security technology and best practices, staff training, and appropriate security procedures for data backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware attack, remember that Progent's team of professionals has a proven track record in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), Iím grateful for letting me get rested after we made it through the initial push. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Riverside a range of online monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services include modern artificial intelligence capability to uncover zero-day strains of crypto-ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows rapid restoration of critical files, applications and VMs that have become lost or damaged due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to set up ProSight DPS to be compliant with regulatory requirements such as HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to recover your critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security vendors to provide centralized control and world-class protection for your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, monitor, reconfigure and troubleshoot their networking appliances such as routers, firewalls, and access points as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, finding appliances that require important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT staff and your Progent consultant so that all potential problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can save as much as 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Riverside 24/7 Crypto Cleanup Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.