Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an extinction-level danger for organizations vulnerable to an assault. Multiple generations of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to inflict damage. Recent strains of crypto-ransomware like Ryuk and Hermes, as well as more as yet unnamed newcomers, not only encrypt on-line information but also infiltrate most accessible system backup. Information replicated to cloud environments can also be ransomed. In a vulnerable system, it can render any recovery useless and effectively sets the entire system back to square one.

Getting back online applications and information after a crypto-ransomware event becomes a race against the clock as the targeted business tries its best to stop lateral movement and cleanup the crypto-ransomware and to restore business-critical activity. Since crypto-ransomware takes time to replicate, attacks are usually sprung on weekends, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of quickly mobilizing and orchestrating an experienced response team.

Progent makes available an assortment of help services for protecting enterprises from crypto-ransomware events. These include team member training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with artificial intelligence technology to quickly identify and extinguish zero-day cyber threats. Progent in addition offers the services of seasoned ransomware recovery consultants with the track record and commitment to reconstruct a breached network as quickly as possible.

Progent's Ransomware Restoration Services
After a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to decipher all your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the key elements of your Information Technology environment. Absent access to complete information backups, this calls for a wide complement of skill sets, well-coordinated project management, and the willingness to work non-stop until the task is done.

For twenty years, Progent has provided certified expert Information Technology services for businesses in Mesa and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of experience provides Progent the ability to quickly determine important systems and re-organize the surviving components of your network environment following a ransomware penetration and configure them into an operational system.

Progent's ransomware group deploys best of breed project management systems to orchestrate the complicated recovery process. Progent knows the importance of working quickly and in concert with a customerís management and IT resources to assign priority to tasks and to get essential systems back on line as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business hired Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state hackers, possibly adopting strategies exposed from the United States NSA organization. Ryuk attacks specific organizations with little room for operational disruption and is among the most profitable instances of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago and has around 500 workers. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and hoping for the best, but ultimately utilized Progent.


"I cannot speak enough about the care Progent gave us during the most critical period of (our) businesses survival. We may have had to pay the cyber criminals if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and production servers back on-line faster than 1 week was earth shattering. Each staff member I talked with or messaged at Progent was amazingly focused on getting our company operational and was working 24/7 on our behalf."

Progent worked together with the client to quickly identify and assign priority to the most important services that needed to be recovered to make it possible to continue company operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident mitigation best practices by stopping the spread and cleaning up infected systems. Progent then began the work of restoring Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the client's MRP software leveraged Microsoft SQL Server, which depends on Windows AD for authentication to the databases.

Within two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then completed rebuilding and storage recovery of key applications. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Outlook Email Offline Data Files) on staff PCs to recover email data. A not too old off-line backup of the customerís accounting systems made it possible to restore these required applications back available to users. Although a large amount of work was left to recover completely from the Ryuk virus, core systems were recovered rapidly:


"For the most part, the production line operation never missed a beat and we made all customer sales."

Throughout the next few weeks important milestones in the recovery project were made through close cooperation between Progent consultants and the customer:

  • In-house web applications were restored without losing any data.
  • The MailStore Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/AP/AR/Inventory Control modules were fully recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the user workstations were functioning as before the incident.

"A lot of what went on during the initial response is mostly a blur for me, but our team will not forget the care all of your team accomplished to help get our business back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has shined and delivered as promised. This time was a stunning achievement."

Conclusion
A likely business extinction disaster was avoided with dedicated experts, a wide range of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware virus attack described here could have been identified and stopped with up-to-date cyber security systems and ISO/IEC 27001 best practices, team education, and well designed security procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get rested after we made it through the initial fire. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Mesa a portfolio of remote monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services include modern AI technology to uncover zero-day variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your company's specific needs and that allows you prove compliance with government and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables rapid restoration of critical files, apps and VMs that have become lost or damaged as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to provide web-based management and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to map, track, enhance and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating devices that require critical software patches, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so any potential issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7 Mesa Ransomware Removal Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.