Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause harm. The latest variants of ransomware such as Ryuk and Hermes, plus more as yet unnamed malware, not only encrypt on-line information but also infiltrate all accessible system restores and backups. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can make automatic recovery hopeless and basically sets the datacenter back to square one.

Getting back on-line services and information following a crypto-ransomware intrusion becomes a race against time as the targeted business struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware needs time to replicate, assaults are usually launched during weekends and nights, when successful penetrations in many cases take more time to recognize. This multiplies the difficulty of quickly marshalling and organizing a knowledgeable response team.

Progent provides a variety of solutions for securing enterprises from ransomware attacks. These include staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security appliances with AI technology to intelligently identify and suppress day-zero threats. Progent also provides the services of seasoned ransomware recovery consultants with the skills and commitment to reconstruct a breached environment as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, paying the ransom in cryptocurrency does not ensure that criminal gangs will return the needed keys to unencrypt any or all of your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the key elements of your IT environment. Absent the availability of full system backups, this calls for a broad range of IT skills, professional project management, and the capability to work non-stop until the job is complete.

For twenty years, Progent has made available expert Information Technology services for businesses in Hayward and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience provides Progent the skills to knowledgably identify important systems and organize the remaining components of your network environment following a crypto-ransomware penetration and assemble them into a functioning system.

Progent's recovery team of experts deploys best of breed project management systems to orchestrate the complex restoration process. Progent appreciates the importance of acting swiftly and in unison with a customerís management and IT staff to prioritize tasks and to put key applications back online as fast as possible.

Client Story: A Successful Crypto-Ransomware Virus Recovery
A small business escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored hackers, suspected of adopting strategies leaked from Americaís National Security Agency. Ryuk seeks specific companies with limited ability to sustain operational disruption and is among the most lucrative iterations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's information backups had been online at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I cannot thank you enough about the support Progent provided us throughout the most critical time of (our) companyís survival. We would have paid the hackers behind this attack except for the confidence the Progent team provided us. That you were able to get our e-mail and essential applications back online in less than 1 week was earth shattering. Each consultant I worked with or messaged at Progent was hell bent on getting us working again and was working breakneck pace to bail us out."

Progent worked hand in hand the client to rapidly assess and assign priority to the critical applications that had to be restored to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Email
  • Accounting/MRP
To begin, Progent adhered to Anti-virus event mitigation best practices by isolating and clearing up compromised systems. Progent then initiated the steps of rebuilding Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not work without AD, and the businessesí financials and MRP applications utilized Microsoft SQL, which depends on Windows AD for access to the information.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then accomplished setup and hard drive recovery of needed systems. All Exchange data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Offline Data Files) on team PCs and laptops in order to recover email data. A recent offline backup of the businesses financials/MRP software made it possible to restore these essential services back servicing users. Although a lot of work was left to recover fully from the Ryuk attack, core systems were returned to operations quickly:


"For the most part, the production line operation survived unscathed and we did not miss any customer orders."

During the following month key milestones in the restoration project were achieved in close cooperation between Progent team members and the client:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the desktops and laptops were functioning as before the incident.

"A huge amount of what happened those first few days is mostly a haze for me, but my management will not forget the dedication each of you put in to give us our business back. Iíve utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered. This event was a life saver."

Conclusion
A possible enterprise-killing catastrophe was evaded with top-tier experts, a wide array of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware incident detailed here would have been shut down with advanced security technology and best practices, user training, and appropriate incident response procedures for backup and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for allowing me to get rested after we made it past the first week. All of you did an incredible job, and if any of your team is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Hayward a variety of online monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation AI capability to uncover zero-day variants of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to automate the complete threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent's consultants can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables rapid restoration of vital data, applications and VMs that have become unavailable or damaged as a result of hardware breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver world-class support to configure ProSight DPS to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, when needed, can assist you to recover your critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to deliver centralized management and comprehensive security for your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and debug their networking hardware like routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when problems are detected. By automating complex management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding devices that need important software patches, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to keep your network operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT personnel and your assigned Progent consultant so that any looming problems can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as half of time wasted trying to find vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Hayward 24-Hour CryptoLocker Repair Experts, contact Progent at 800-993-9400 or go to Contact Progent.