Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that presents an existential danger for organizations vulnerable to an attack. Different versions of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as daily unnamed viruses, not only encrypt online files but also infect most accessible system protection mechanisms. Information replicated to cloud environments can also be encrypted. In a poorly architected data protection solution, this can render any restore operations useless and effectively knocks the network back to zero.

Getting back programs and information after a ransomware attack becomes a sprint against the clock as the targeted organization fights to contain the damage and eradicate the virus and to resume business-critical operations. Because ransomware needs time to replicate, assaults are frequently launched during nights and weekends, when attacks typically take longer to identify. This compounds the difficulty of quickly assembling and orchestrating a capable response team.

Progent makes available a range of solutions for securing enterprises from crypto-ransomware penetrations. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security gateways with AI capabilities to rapidly identify and quarantine day-zero cyber attacks. Progent in addition provides the services of expert ransomware recovery professionals with the talent and perseverance to restore a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will return the needed codes to decipher any or all of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the vital elements of your IT environment. Absent the availability of full information backups, this calls for a broad range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the task is complete.

For twenty years, Progent has made available professional IT services for companies in Fremont and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience affords Progent the capability to knowledgably understand necessary systems and organize the remaining pieces of your Information Technology system following a ransomware attack and assemble them into a functioning network.

Progent's ransomware group uses state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of acting quickly and in unison with a customerís management and Information Technology team members to prioritize tasks and to put key applications back on line as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Response
A customer sought out Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state cybercriminals, possibly using strategies exposed from the United States National Security Agency. Ryuk seeks specific companies with little ability to sustain operational disruption and is one of the most profitable incarnations of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago and has around 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200K) and praying for good luck, but ultimately brought in Progent.


"I cannot say enough in regards to the care Progent provided us throughout the most stressful period of (our) companyís survival. We most likely would have paid the cybercriminals except for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and important servers back in less than seven days was earth shattering. Each staff member I talked with or e-mailed at Progent was laser focused on getting our system up and was working breakneck pace on our behalf."

Progent worked hand in hand the client to quickly get our arms around and prioritize the mission critical services that had to be restored in order to continue departmental operations:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes incident response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the steps of bringing back online Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Exchange email will not function without Windows AD, and the customerís MRP applications used SQL Server, which depends on Windows AD for security authorization to the database.

Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then completed setup and hard drive recovery of key applications. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on team PCs in order to recover email messages. A not too old off-line backup of the client's manufacturing systems made it possible to restore these required applications back servicing users. Although significant work remained to recover fully from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the assembly line operation survived unscathed and we produced all customer sales."

Over the following few weeks important milestones in the recovery process were achieved in close collaboration between Progent engineers and the customer:

  • Internal web sites were restored without losing any information.
  • The MailStore Server containing more than 4 million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were completely restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the desktops and laptops were operational.

"Much of what transpired in the early hours is nearly entirely a haze for me, but I will not forget the urgency all of the team put in to help get our company back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A possible company-ending catastrophe was dodged due to dedicated experts, a broad array of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here could have been identified and disabled with current cyber security technology solutions and NIST Cybersecurity Framework best practices, team education, and well thought out incident response procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for allowing me to get some sleep after we made it past the most critical parts. Everyone did an amazing job, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Fremont a range of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI technology to detect zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including protection, infiltration detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that allows you prove compliance with legal and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also help your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates your backup activities and enables fast recovery of vital files, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide world-class support to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to deliver web-based management and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further level of inspection for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, track, optimize and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, locating devices that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network running efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT staff and your Progent engineering consultant so any potential issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to a different hardware solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Fremont 24/7 Ransomware Cleanup Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.