Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyber pandemic that poses an existential threat for businesses poorly prepared for an assault. Versions of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and still inflict havoc. Newer strains of ransomware like Ryuk and Hermes, plus frequent unnamed viruses, not only encrypt online files but also infect many accessible system backups. Information synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can render automated restore operations hopeless and basically sets the network back to zero.

Restoring applications and data following a ransomware intrusion becomes a sprint against the clock as the victim struggles to contain and cleanup the crypto-ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, penetrations are usually launched during nights and weekends, when attacks in many cases take longer to detect. This compounds the difficulty of quickly assembling and organizing an experienced mitigation team.

Progent makes available a variety of support services for protecting enterprises from crypto-ransomware penetrations. These include user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning technology to rapidly discover and suppress new cyber threats. Progent also offers the assistance of seasoned crypto-ransomware recovery engineers with the track record and perseverance to restore a breached environment as quickly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom in cryptocurrency does not guarantee that distant criminals will provide the needed keys to decipher all your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the mission-critical parts of your IT environment. Without access to complete system backups, this calls for a wide range of skills, professional project management, and the capability to work 24x7 until the task is over.

For twenty years, Progent has provided certified expert IT services for businesses in Napa and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience affords Progent the skills to efficiently identify necessary systems and integrate the remaining pieces of your network system after a crypto-ransomware penetration and configure them into an operational system.

Progent's security team uses powerful project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of acting quickly and together with a customerís management and IT team members to prioritize tasks and to put essential services back on-line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Virus Response
A customer escalated to Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored cybercriminals, possibly adopting algorithms exposed from Americaís NSA organization. Ryuk targets specific companies with limited ability to sustain disruption and is one of the most profitable examples of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately reached out to Progent.


"I cannot speak enough in regards to the expertise Progent provided us during the most critical time of (our) businesses survival. We would have paid the cybercriminals if it wasnít for the confidence the Progent team gave us. The fact that you could get our e-mail and key applications back into operation in less than a week was earth shattering. Every single expert I worked with or texted at Progent was amazingly focused on getting us operational and was working non-stop on our behalf."

Progent worked together with the client to quickly assess and assign priority to the most important services that needed to be restored to make it possible to resume departmental operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus event response industry best practices by halting lateral movement and disinfecting systems. Progent then started the task of recovering Microsoft Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the customerís financials and MRP software used Microsoft SQL, which requires Windows AD for authentication to the database.

Within two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery of key applications. All Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Data Files) on staff desktop computers in order to recover mail messages. A recent offline backup of the customerís financials/ERP systems made them able to restore these essential programs back servicing users. Although a large amount of work was left to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the assembly line operation was never shut down and we produced all customer deliverables."

Throughout the following couple of weeks critical milestones in the recovery project were achieved through close collaboration between Progent engineers and the client:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were completely operational.
  • A new Palo Alto 850 firewall was installed and configured.
  • Ninety percent of the desktop computers were operational.

"A lot of what occurred those first few days is nearly entirely a blur for me, but my management will not forget the urgency each and every one of the team accomplished to give us our business back. I have been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable business disaster was avoided due to top-tier professionals, a wide spectrum of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus penetration detailed here could have been blocked with current cyber security technology and NIST Cybersecurity Framework best practices, user training, and properly executed security procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get some sleep after we got through the initial fire. All of you did an fabulous job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Napa a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to detect zero-day strains of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and provides a single platform to address the entire threat lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also help you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates and monitors your backup activities and enables fast restoration of critical files, apps and virtual machines that have become lost or damaged due to hardware failures, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security companies to provide centralized management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, enhance and debug their connectivity hardware such as routers and switches, firewalls, and access points as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common tasks like network mapping, expanding your network, locating appliances that require important software patches, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so any potential problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate as much as half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Napa 24-7 Crypto-Ransomware Recovery Help, contact Progent at 800-993-9400 or go to Contact Progent.