Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to inflict havoc. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with frequent as yet unnamed malware, not only encrypt online information but also infect any available system backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, it can make automated recovery useless and basically knocks the datacenter back to square one.

Getting back online applications and information after a ransomware outage becomes a sprint against the clock as the targeted organization fights to contain and clear the ransomware and to resume business-critical activity. Since ransomware needs time to move laterally, attacks are often launched during nights and weekends, when successful penetrations typically take more time to recognize. This compounds the difficulty of promptly assembling and organizing a qualified mitigation team.

Progent makes available a range of services for protecting enterprises from ransomware attacks. These include user training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security solutions with machine learning technology from SentinelOne to identify and quarantine new threats intelligently. Progent in addition offers the services of expert ransomware recovery professionals with the skills and commitment to restore a compromised environment as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware attack, sending the ransom in cryptocurrency does not guarantee that criminal gangs will return the needed codes to unencrypt any of your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the essential elements of your IT environment. Without access to full system backups, this calls for a wide complement of skills, top notch team management, and the ability to work 24x7 until the task is done.

For two decades, Progent has provided professional IT services for companies in Fremont and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise gives Progent the ability to efficiently understand critical systems and integrate the remaining pieces of your network system after a crypto-ransomware attack and rebuild them into a functioning system.

Progent's security team of experts has best of breed project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of acting rapidly and in concert with a customer's management and IT team members to assign priority to tasks and to get essential services back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Penetration Recovery
A small business contacted Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, possibly using algorithms exposed from the U.S. NSA organization. Ryuk targets specific organizations with little or no ability to sustain operational disruption and is among the most profitable incarnations of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with about 500 workers. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the attack and were destroyed. The client considered paying the ransom (exceeding $200,000) and hoping for good luck, but in the end engaged Progent.


"I cannot speak enough in regards to the help Progent provided us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the criminal gangs except for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and production servers back into operation in less than 1 week was incredible. Every single expert I interacted with or communicated with at Progent was urgently focused on getting our system up and was working at all hours to bail us out."

Progent worked together with the client to rapidly assess and assign priority to the mission critical services that had to be restored in order to continue business functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to Anti-virus penetration mitigation best practices by isolating and clearing infected systems. Progent then initiated the process of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the client's financials and MRP applications leveraged Microsoft SQL, which depends on Active Directory for access to the data.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then completed reinstallations and hard drive recovery on critical servers. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble local OST files (Outlook Off-Line Folder Files) on team PCs to recover email messages. A not too old offline backup of the customer's manufacturing systems made them able to return these essential applications back on-line. Although major work remained to recover totally from the Ryuk attack, the most important systems were restored quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."

During the following few weeks important milestones in the restoration project were achieved in close cooperation between Progent consultants and the customer:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server with over 4 million historical emails was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user desktops and notebooks were fully operational.

"So much of what was accomplished that first week is mostly a blur for me, but my management will not forget the urgency each of your team put in to give us our company back. I have utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This situation was a life saver."

Conclusion
A possible business extinction disaster was averted by dedicated professionals, a wide spectrum of technical expertise, and tight teamwork. Although upon completion of forensics the crypto-ransomware attack detailed here should have been shut down with advanced cyber security technology and best practices, staff education, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get some sleep after we made it past the first week. All of you did an incredible job, and if any of your team is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Fremont a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation machine learning technology to detect new strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup processes and enable transparent backup and fast recovery of vital files, applications, images, and VMs. ProSight DPS lets you recover from data loss caused by equipment failures, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to provide centralized management and world-class protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of inspection for inbound email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to map, track, reconfigure and troubleshoot their connectivity appliances such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always updated, captures and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding appliances that require important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so all looming problems can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to defend endpoints as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. Progent ASM services protect local and cloud-based resources and provides a single platform to address the entire malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Desk: Support Desk Managed Services
    Progent's Help Center managed services permit your information technology team to outsource Call Center services to Progent or split activity for Service Desk support seamlessly between your internal support group and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your corporate network support group. End user interaction with the Help Desk, provision of support services, escalation, trouble ticket generation and tracking, efficiency metrics, and management of the support database are cohesive whether issues are resolved by your core network support staff, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and documenting updates to your dynamic IT network. In addition to optimizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your in-house IT team to concentrate on line-of-business initiatives and tasks that derive the highest business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with iOS, Android, and other personal devices. With 2FA, whenever you log into a protected application and give your password you are requested to confirm your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be utilized for this added means of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several verification devices. To learn more about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of in-depth reporting tools designed to work with the industry's leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Fremont 24/7/365 Crypto Cleanup Consultants, contact Progent at 800-462-8800 or go to Contact Progent.