Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Different iterations of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict havoc. The latest versions of crypto-ransomware like Ryuk and Hermes, plus more unnamed malware, not only encrypt on-line data files but also infiltrate any configured system backup. Data synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can render automated recovery useless and basically sets the datacenter back to square one.

Getting back online applications and information after a ransomware event becomes a sprint against time as the victim struggles to contain and remove the ransomware and to restore business-critical activity. Since ransomware needs time to spread, assaults are often launched during weekends and nights, when penetrations typically take more time to notice. This multiplies the difficulty of rapidly mobilizing and coordinating a qualified mitigation team.

Progent makes available an assortment of help services for protecting businesses from crypto-ransomware attacks. These include team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with machine learning capabilities to automatically discover and disable zero-day cyber attacks. Progent in addition offers the services of experienced ransomware recovery professionals with the talent and commitment to rebuild a compromised system as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed keys to decipher any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the vital parts of your Information Technology environment. Without access to essential information backups, this requires a wide range of skills, top notch team management, and the ability to work continuously until the job is over.

For decades, Progent has made available professional Information Technology services for businesses in Huntington Beach and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly ascertain critical systems and integrate the surviving parts of your computer network environment after a ransomware attack and configure them into a functioning system.

Progent's security group deploys powerful project management systems to coordinate the complicated recovery process. Progent appreciates the importance of acting rapidly and in unison with a customerís management and IT staff to assign priority to tasks and to get critical systems back online as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A business engaged Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored hackers, suspected of adopting strategies exposed from the U.S. National Security Agency. Ryuk targets specific companies with little or no ability to sustain disruption and is one of the most profitable versions of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the start of the attack and were encrypted. The client was evaluating paying the ransom demand (more than $200,000) and praying for good luck, but in the end engaged Progent.


"I canít thank you enough in regards to the help Progent provided us during the most stressful period of (our) businesses survival. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our messaging and key servers back online quicker than seven days was something I thought impossible. Each staff member I spoke to or messaged at Progent was absolutely committed on getting our system up and was working 24 by 7 to bail us out."

Progent worked with the client to quickly assess and prioritize the essential applications that needed to be addressed in order to continue business operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to ransomware incident response industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the work of rebuilding Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without Active Directory, and the client's accounting and MRP system used Microsoft SQL, which depends on Active Directory services for security authorization to the information.

Within 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated setup and storage recovery of key systems. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops in order to recover mail data. A recent offline backup of the client's financials/ERP software made it possible to restore these required programs back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer orders."

Throughout the following couple of weeks key milestones in the recovery process were made through tight collaboration between Progent team members and the customer:

  • In-house web applications were restored with no loss of data.
  • The MailStore Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Most of the desktops and laptops were back into operation.

"A huge amount of what happened in the initial days is nearly entirely a blur for me, but my management will not forget the dedication all of you put in to help get our company back. Iíve entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a life saver."

Conclusion
A possible business disaster was averted with dedicated experts, a wide spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus penetration detailed here should have been shut down with modern security systems and security best practices, user and IT administrator training, and properly executed incident response procedures for information backup and applying software patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we made it past the initial fire. Everyone did an incredible job, and if any of your team is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Huntington Beach a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate modern AI technology to uncover new strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you prove compliance with legal and industry data security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates and monitors your backup processes and allows rapid recovery of critical files, applications and VMs that have become unavailable or corrupted due to hardware failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical information. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide web-based management and comprehensive protection for your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating tedious network management processes, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, locating devices that need critical updates, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management staff and your Progent engineering consultant so any looming issues can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can save up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Huntington Beach 24-Hour Ransomware Remediation Consulting, call Progent at 800-993-9400 or go to Contact Progent.