Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that poses an enterprise-level danger for businesses vulnerable to an assault. Different iterations of crypto-ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict damage. The latest variants of ransomware such as Ryuk and Hermes, along with more unnamed viruses, not only do encryption of on-line data files but also infect all available system backup. Files replicated to the cloud can also be rendered useless. In a poorly designed environment, this can make automatic restore operations useless and effectively knocks the entire system back to square one.

Getting back applications and data following a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to contain the damage and eradicate the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to spread, penetrations are usually sprung during nights and weekends, when successful attacks in many cases take more time to identify. This compounds the difficulty of quickly marshalling and coordinating an experienced response team.

Progent makes available a range of help services for protecting enterprises from ransomware penetrations. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with machine learning technology to quickly discover and suppress new threats. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the skills and commitment to restore a breached system as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that distant criminals will return the codes to decipher any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the vital components of your IT environment. Absent the availability of full system backups, this requires a wide range of skill sets, professional project management, and the willingness to work continuously until the recovery project is over.

For twenty years, Progent has offered certified expert IT services for companies in Huntington Beach and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience provides Progent the capability to knowledgably ascertain critical systems and re-organize the surviving pieces of your IT environment after a ransomware penetration and rebuild them into an operational system.

Progent's security team of experts utilizes powerful project management tools to coordinate the sophisticated restoration process. Progent knows the importance of working rapidly and in unison with a customerís management and IT staff to prioritize tasks and to put key applications back on-line as soon as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A customer escalated to Progent after their network was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, suspected of using algorithms leaked from the United States National Security Agency. Ryuk goes after specific companies with limited room for operational disruption and is one of the most profitable versions of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area with around 500 employees. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.


"I cannot say enough in regards to the help Progent gave us throughout the most stressful time of (our) companyís life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and important servers back faster than 1 week was beyond my wildest dreams. Every single expert I got help from or e-mailed at Progent was hell bent on getting our company operational and was working 24/7 to bail us out."

Progent worked with the customer to quickly understand and assign priority to the essential systems that needed to be addressed to make it possible to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Financials/MRP
To start, Progent followed ransomware penetration response best practices by stopping lateral movement and clearing infected systems. Progent then initiated the process of restoring Microsoft Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Exchange email will not operate without AD, and the customerís MRP software utilized SQL Server, which requires Windows AD for access to the information.

In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery on essential systems. All Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Folder Files) on user desktop computers and laptops to recover email information. A not too old offline backup of the customerís accounting/ERP software made it possible to recover these essential programs back servicing users. Although major work still had to be done to recover totally from the Ryuk attack, critical services were recovered quickly:


"For the most part, the production line operation showed little impact and we made all customer sales."

Over the following couple of weeks key milestones in the recovery process were completed through close collaboration between Progent team members and the client:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully operational.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user workstations were operational.

"So much of what was accomplished in the initial days is nearly entirely a blur for me, but our team will not soon forget the urgency each and every one of you put in to help get our business back. Iíve trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This situation was the most impressive ever."

Conclusion
A likely business-killing catastrophe was dodged by dedicated professionals, a broad spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration described here would have been identified and blocked with modern cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out security procedures for data backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we made it over the initial push. All of you did an incredible effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Huntington Beach a range of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services include next-generation machine learning technology to detect zero-day strains of ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the entire threat progression including protection, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you demonstrate compliance with government and industry information security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also help your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and allows fast recovery of critical data, applications and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class support to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to provide web-based management and comprehensive protection for your email traffic. The hybrid structure of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, monitor, optimize and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, locating devices that need critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT personnel and your Progent engineering consultant so any looming issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Huntington Beach 24-7 Crypto-Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.