Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict damage. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional unnamed newcomers, not only encrypt online data but also infect most available system protection. Data synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can make automatic restoration hopeless and basically sets the network back to square one.

Getting back on-line programs and information after a ransomware outage becomes a sprint against time as the targeted business struggles to stop the spread and clear the ransomware and to resume mission-critical operations. Because crypto-ransomware requires time to replicate, attacks are often launched on weekends, when successful attacks typically take longer to recognize. This multiplies the difficulty of rapidly marshalling and organizing a qualified response team.

Progent provides a variety of solutions for protecting organizations from crypto-ransomware attacks. Among these are staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence technology to automatically detect and disable zero-day cyber threats. Progent also offers the services of veteran ransomware recovery professionals with the track record and perseverance to reconstruct a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will return the needed keys to decipher any of your data. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the critical parts of your Information Technology environment. Without access to full information backups, this calls for a wide range of IT skills, well-coordinated project management, and the capability to work non-stop until the job is complete.

For twenty years, Progent has provided certified expert Information Technology services for companies in Modesto and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise provides Progent the ability to efficiently understand important systems and integrate the surviving pieces of your Information Technology system after a ransomware penetration and rebuild them into a functioning network.

Progent's security group utilizes top notch project management systems to orchestrate the complex restoration process. Progent understands the importance of working rapidly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to get key applications back on line as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business engaged Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state criminal gangs, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk targets specific organizations with little or no ability to sustain disruption and is among the most profitable iterations of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200K) and praying for good luck, but in the end made the decision to use Progent.


"I canít tell you enough about the support Progent provided us during the most fearful period of (our) companyís life. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent experts provided us. The fact that you could get our e-mail and important applications back on-line faster than a week was something I thought impossible. Each person I talked with or e-mailed at Progent was amazingly focused on getting us working again and was working non-stop on our behalf."

Progent worked with the customer to quickly assess and prioritize the most important applications that needed to be recovered to make it possible to restart business functions:

  • Active Directory (AD)
  • E-Mail
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then began the task of recovering Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Active Directory, and the client's financials and MRP software used Microsoft SQL, which depends on Active Directory services for authentication to the information.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery on the most important applications. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Offline Data Files) on various desktop computers in order to recover email messages. A recent offline backup of the client's accounting/ERP systems made it possible to restore these vital programs back online. Although significant work was left to recover completely from the Ryuk damage, the most important systems were returned to operations rapidly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer sales."

Throughout the next few weeks key milestones in the restoration project were accomplished in tight cooperation between Progent engineers and the client:

  • In-house web applications were restored without losing any information.
  • The MailStore Exchange Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory Control modules were 100% restored.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the desktop computers were functioning as before the incident.

"Much of what was accomplished that first week is mostly a haze for me, but I will not forget the commitment all of you accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a Herculean accomplishment."

Conclusion
A possible business-killing disaster was avoided by results-oriented experts, a wide spectrum of technical expertise, and close teamwork. Although upon completion of forensics the ransomware attack described here could have been blocked with current cyber security technology and security best practices, team training, and well designed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for allowing me to get some sleep after we made it over the most critical parts. All of you did an amazing effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Modesto a portfolio of remote monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to detect zero-day strains of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to address the entire threat lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also help your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables fast restoration of vital data, applications and virtual machines that have become unavailable or damaged due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR consultants can provide advanced support to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to deliver web-based control and world-class security for all your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most threats from reaching your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper layer of analysis for incoming email. For outbound email, the onsite gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious network management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that require important updates, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the state of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT staff and your Progent consultant so any looming issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.
For Modesto 24-Hour CryptoLocker Remediation Help, reach out to Progent at 800-993-9400 or go to Contact Progent.