Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that poses an enterprise-level threat for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still cause harm. Newer strains of ransomware such as Ryuk and Hermes, along with additional as yet unnamed viruses, not only encrypt on-line files but also infiltrate any accessible system backup. Data replicated to the cloud can also be corrupted. In a vulnerable system, it can render any restore operations useless and effectively sets the entire system back to zero.

Retrieving services and data following a ransomware outage becomes a race against time as the targeted business tries its best to contain the damage and cleanup the virus and to restore enterprise-critical activity. Because ransomware takes time to spread, penetrations are frequently sprung during weekends and nights, when attacks may take more time to discover. This compounds the difficulty of rapidly mobilizing and orchestrating a capable response team.

Progent makes available a variety of solutions for protecting businesses from ransomware penetrations. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning capabilities to rapidly discover and extinguish new cyber attacks. Progent in addition can provide the assistance of seasoned ransomware recovery engineers with the track record and commitment to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the keys to decrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to piece back together the key elements of your Information Technology environment. Absent access to full data backups, this calls for a wide range of skill sets, well-coordinated project management, and the capability to work 24x7 until the task is over.

For twenty years, Progent has made available professional Information Technology services for businesses in Hayward and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience provides Progent the capability to rapidly understand important systems and integrate the remaining pieces of your IT system after a ransomware penetration and assemble them into a functioning network.

Progent's recovery team deploys top notch project management systems to coordinate the sophisticated restoration process. Progent understands the importance of acting quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to get the most important services back on-line as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Restoration
A client hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored criminal gangs, suspected of using approaches leaked from the United States National Security Agency. Ryuk targets specific businesses with little or no room for disruption and is one of the most profitable versions of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in Chicago with about 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and praying for the best, but in the end utilized Progent.


"I cannot tell you enough in regards to the care Progent provided us during the most stressful period of (our) companyís survival. We would have paid the hackers behind this attack if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and production servers back into operation sooner than seven days was earth shattering. Each staff member I talked with or texted at Progent was hell bent on getting us back on-line and was working at all hours on our behalf."

Progent worked with the customer to rapidly identify and prioritize the critical elements that needed to be recovered to make it possible to restart departmental functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting/MRP
To get going, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then started the work of rebuilding Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí MRP software utilized Microsoft SQL, which depends on Windows AD for access to the databases.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery of key servers. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Off-Line Data Files) on user workstations in order to recover mail data. A recent off-line backup of the customerís financials/MRP systems made it possible to recover these vital services back online for users. Although major work still had to be done to recover totally from the Ryuk event, core services were returned to operations quickly:


"For the most part, the production operation showed little impact and we produced all customer orders."

During the next month important milestones in the restoration project were accomplished through tight cooperation between Progent engineers and the client:

  • Internal web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 firewall was deployed.
  • Nearly all of the user desktops and notebooks were operational.

"A lot of what went on in the initial days is nearly entirely a fog for me, but I will not soon forget the dedication each of you accomplished to give us our company back. Iíve utilized Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A probable business-killing disaster was evaded with dedicated professionals, a wide spectrum of IT skills, and close teamwork. Although in post mortem the ransomware incident detailed here would have been identified and disabled with modern cyber security technology solutions and security best practices, user education, and properly executed incident response procedures for information backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thank you for making it so I could get some sleep after we made it over the first week. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Hayward a variety of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation machine learning technology to uncover new variants of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you prove compliance with legal and industry information security standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also help your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight DPS automates your backup processes and allows fast restoration of critical files, apps and VMs that have become lost or corrupted as a result of component breakdowns, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's BDR specialists can deliver advanced support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPPA, FIRPA, and PCI and, when necessary, can help you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide centralized control and world-class security for your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks most threats from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, monitor, enhance and debug their connectivity appliances like routers and switches, firewalls, and access points plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that require important software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management personnel and your Progent consultant so any looming issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24/7/365 Hayward Crypto-Ransomware Repair Experts, contact Progent at 800-993-9400 or go to Contact Progent.