Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an extinction-level threat for organizations vulnerable to an attack. Multiple generations of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus daily as yet unnamed malware, not only encrypt online critical data but also infiltrate all configured system restores and backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, this can render automated restore operations impossible and basically sets the entire system back to square one.

Recovering programs and data following a crypto-ransomware outage becomes a race against time as the victim struggles to contain the damage and eradicate the virus and to restore business-critical activity. Because crypto-ransomware requires time to move laterally, assaults are frequently sprung on weekends, when penetrations may take longer to identify. This compounds the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent offers an assortment of support services for securing businesses from ransomware events. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning technology to intelligently detect and extinguish day-zero cyber attacks. Progent in addition offers the assistance of expert ransomware recovery engineers with the skills and commitment to re-deploy a compromised environment as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will return the codes to unencrypt any or all of your information. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the critical components of your IT environment. Absent access to full system backups, this calls for a broad complement of IT skills, professional team management, and the willingness to work non-stop until the recovery project is done.

For decades, Progent has offered expert IT services for companies in Riverside and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the skills to rapidly identify important systems and integrate the surviving pieces of your network environment after a ransomware penetration and rebuild them into an operational network.

Progent's recovery team uses best of breed project management applications to coordinate the complicated restoration process. Progent knows the urgency of working quickly and in concert with a customerís management and IT staff to prioritize tasks and to put critical applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Attack Restoration
A small business escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, suspected of using technology leaked from Americaís NSA organization. Ryuk seeks specific organizations with limited ability to sustain operational disruption and is among the most profitable instances of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with about 500 staff members. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's information backups had been online at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.


"I cannot speak enough about the care Progent provided us throughout the most fearful period of (our) companyís life. We would have paid the cyber criminals behind the attack except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and critical applications back online faster than one week was beyond my wildest dreams. Each consultant I got help from or texted at Progent was hell bent on getting us restored and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to rapidly understand and assign priority to the key systems that needed to be addressed in order to restart company operations:

  • Active Directory
  • Electronic Messaging
  • Financials/MRP
To start, Progent followed AV/Malware Processes penetration response industry best practices by halting the spread and cleaning systems of viruses. Progent then began the steps of recovering Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the client's MRP applications leveraged SQL Server, which requires Active Directory services for access to the data.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of the most important systems. All Exchange schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops to recover mail messages. A recent off-line backup of the businesses accounting software made it possible to recover these vital programs back servicing users. Although significant work remained to recover completely from the Ryuk event, core services were returned to operations quickly:


"For the most part, the production operation showed little impact and we made all customer orders."

Over the next month key milestones in the restoration project were completed through close cooperation between Progent engineers and the client:

  • Self-hosted web sites were returned to operation with no loss of data.
  • The MailStore Exchange Server with over 4 million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was set up.
  • Nearly all of the desktops and laptops were back into operation.

"Much of what was accomplished those first few days is mostly a fog for me, but my management will not forget the care each of the team put in to give us our company back. I have trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A probable enterprise-killing catastrophe was dodged with dedicated experts, a wide spectrum of technical expertise, and tight collaboration. Although in hindsight the ransomware incident detailed here would have been blocked with up-to-date security technology and recognized best practices, user and IT administrator training, and well thought out security procedures for information backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for making it so I could get rested after we got through the most critical parts. All of you did an incredible job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Riverside a portfolio of remote monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services incorporate modern AI capability to detect zero-day variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight ASM protects local and cloud-based resources and offers a unified platform to address the entire threat progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you prove compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates your backup processes and allows fast restoration of vital data, apps and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can provide advanced expertise to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver web-based control and comprehensive security for all your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a further level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, reconfigure and debug their connectivity hardware like routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always current, copies and displays the configuration of virtually all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, finding devices that need critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT management personnel and your Progent consultant so that any looming problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Riverside 24x7 Crypto-Ransomware Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.