Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that poses an existential threat for businesses poorly prepared for an assault. Different versions of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with additional as yet unnamed viruses, not only do encryption of on-line files but also infect most configured system backup. Files synchronized to the cloud can also be encrypted. In a vulnerable environment, this can make any restore operations useless and basically sets the entire system back to zero.

Retrieving services and data after a ransomware attack becomes a sprint against the clock as the targeted business struggles to contain the damage and remove the crypto-ransomware and to restore mission-critical operations. Since ransomware requires time to move laterally, assaults are frequently launched on weekends and holidays, when penetrations are likely to take more time to identify. This compounds the difficulty of quickly mobilizing and organizing an experienced response team.

Progent has an assortment of solutions for securing enterprises from crypto-ransomware events. These include team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with AI capabilities to automatically identify and suppress new threats. Progent also can provide the assistance of veteran ransomware recovery engineers with the skills and commitment to re-deploy a breached network as quickly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will return the codes to decipher any or all of your information. Kaspersky determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Absent the availability of full information backups, this requires a wide range of skill sets, professional project management, and the willingness to work non-stop until the task is complete.

For decades, Progent has offered expert IT services for companies in Irvine and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience provides Progent the ability to knowledgably determine important systems and organize the remaining parts of your Information Technology environment following a ransomware penetration and assemble them into an operational system.

Progent's recovery group deploys powerful project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of acting rapidly and together with a customerís management and IT resources to prioritize tasks and to put key applications back on line as fast as humanly possible.

Case Study: A Successful Ransomware Incident Response
A small business sought out Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting technology exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little tolerance for operational disruption and is among the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has about 500 workers. The Ryuk event had shut down all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the time of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but in the end utilized Progent.


"I cannot thank you enough about the expertise Progent gave us during the most fearful period of (our) businesses existence. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and essential applications back online faster than five days was earth shattering. Every single expert I worked with or e-mailed at Progent was totally committed on getting our system up and was working breakneck pace on our behalf."

Progent worked hand in hand the client to quickly understand and assign priority to the key systems that needed to be restored in order to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent followed AV/Malware Processes penetration response industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the work of bringing back online Windows Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the client's accounting and MRP software used SQL Server, which depends on Active Directory services for access to the database.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then completed setup and storage recovery on needed systems. All Exchange data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Offline Data Files) on staff desktop computers in order to recover mail messages. A recent off-line backup of the client's financials/MRP software made it possible to restore these vital programs back on-line. Although a large amount of work remained to recover completely from the Ryuk virus, critical systems were returned to operations quickly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer shipments."

During the following couple of weeks critical milestones in the recovery process were made through tight cooperation between Progent consultants and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 firewall was installed.
  • 90% of the desktops and laptops were being used by staff.

"So much of what went on during the initial response is nearly entirely a fog for me, but I will not forget the dedication each and every one of you accomplished to give us our business back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A potential business disaster was dodged due to results-oriented experts, a broad spectrum of knowledge, and close collaboration. Although in hindsight the ransomware attack detailed here should have been identified and prevented with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out incident response procedures for data protection and applying software patches, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thank you for letting me get rested after we made it through the most critical parts. All of you did an impressive effort, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Irvine a range of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services include modern AI capability to detect new strains of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and provides a unified platform to address the complete threat progression including protection, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge technologies packaged within one agent managed from a single console. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with government and industry data security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent's consultants can also help your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. For a low monthly rate, ProSight DPS automates your backup activities and enables fast restoration of vital data, apps and VMs that have become unavailable or damaged due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can provide advanced expertise to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security companies to deliver centralized control and world-class protection for all your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further layer of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, optimize and debug their networking hardware like switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, locating devices that require critical updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the health of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT staff and your assigned Progent consultant so that any potential problems can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can save up to half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Irvine 24x7x365 Crypto Repair Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.