Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for businesses of all sizes poorly prepared for an attack. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause havoc. Newer strains of ransomware like Ryuk and Hermes, as well as frequent unnamed viruses, not only do encryption of on-line data files but also infect most available system restores and backups. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly designed system, it can make any recovery impossible and basically knocks the entire system back to square one.

Retrieving programs and information after a ransomware event becomes a race against the clock as the targeted business tries its best to contain the damage and eradicate the ransomware and to resume business-critical operations. Due to the fact that ransomware needs time to spread, attacks are usually launched on weekends, when successful attacks are likely to take more time to discover. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.

Progent makes available an assortment of solutions for securing businesses from crypto-ransomware attacks. These include user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with AI technology to automatically detect and suppress day-zero cyber threats. Progent also can provide the services of experienced ransomware recovery professionals with the skills and commitment to re-deploy a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the mission-critical components of your Information Technology environment. Absent access to complete system backups, this calls for a broad complement of IT skills, top notch project management, and the ability to work non-stop until the job is finished.

For decades, Progent has offered expert Information Technology services for companies in Honolulu and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience provides Progent the skills to efficiently understand necessary systems and organize the surviving pieces of your IT system after a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team deploys top notch project management applications to orchestrate the complex recovery process. Progent understands the urgency of working quickly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to get the most important systems back on line as fast as possible.

Case Study: A Successful Ransomware Intrusion Restoration
A client sought out Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored criminal gangs, suspected of adopting strategies exposed from the United States National Security Agency. Ryuk targets specific companies with little or no room for disruption and is among the most profitable incarnations of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk attack had disabled all business operations and manufacturing processes. The majority of the client's data backups had been online at the beginning of the attack and were encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and praying for the best, but ultimately engaged Progent.


"I canít tell you enough in regards to the support Progent gave us throughout the most stressful time of (our) companyís existence. We would have paid the criminal gangs if it wasnít for the confidence the Progent team provided us. That you could get our e-mail and essential servers back on-line sooner than seven days was something I thought impossible. Each expert I got help from or messaged at Progent was absolutely committed on getting us back on-line and was working at all hours to bail us out."

Progent worked with the customer to rapidly assess and prioritize the critical areas that needed to be recovered to make it possible to continue business functions:

  • Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent followed AV/Malware Processes incident response industry best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the steps of rebuilding Microsoft Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not operate without Windows AD, and the businessesí MRP applications leveraged Microsoft SQL Server, which depends on Windows AD for access to the data.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then accomplished rebuilding and hard drive recovery of needed applications. All Exchange ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find local OST files (Outlook Email Offline Data Files) on team PCs to recover mail data. A recent offline backup of the businesses manufacturing software made them able to return these essential services back online. Although a large amount of work still had to be done to recover fully from the Ryuk event, critical services were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer shipments."

Over the next couple of weeks critical milestones in the restoration process were accomplished in tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server exceeding four million historical messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were fully restored.
  • A new Palo Alto 850 security appliance was installed.
  • 90% of the user desktops and notebooks were back into operation.

"A huge amount of what was accomplished in the initial days is nearly entirely a haze for me, but I will not soon forget the care each of you put in to help get our company back. Iíve been working with Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A probable business catastrophe was dodged through the efforts of results-oriented professionals, a broad array of IT skills, and close teamwork. Although upon completion of forensics the crypto-ransomware virus penetration described here could have been identified and blocked with advanced cyber security systems and NIST Cybersecurity Framework best practices, team education, and well designed security procedures for information protection and proper patching controls, the reality is that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get some sleep after we made it through the initial push. All of you did an amazing effort, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Honolulu a variety of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services include modern AI technology to detect zero-day variants of crypto-ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the entire malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering via cutting-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of vital data, applications and virtual machines that have become lost or damaged due to hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPPA, FIRPA, and PCI and, when needed, can assist you to recover your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security vendors to deliver centralized management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, monitor, enhance and debug their connectivity appliances like switches, firewalls, and access points as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, locating appliances that need critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the state of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT management staff and your assigned Progent consultant so that any potential problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to a different hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24/7 Honolulu CryptoLocker Remediation Services, reach out to Progent at 800-993-9400 or go to Contact Progent.