Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict damage. More recent strains of ransomware such as Ryuk and Hermes, along with daily unnamed viruses, not only do encryption of on-line critical data but also infiltrate all configured system protection mechanisms. Data synchronized to cloud environments can also be encrypted. In a vulnerable data protection solution, this can make automated restoration useless and effectively knocks the entire system back to square one.

Recovering programs and information following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted business fights to contain the damage and remove the ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to move laterally, assaults are often launched during weekends and nights, when successful attacks typically take longer to detect. This compounds the difficulty of rapidly mobilizing and organizing a knowledgeable response team.

Progent offers an assortment of services for securing organizations from ransomware penetrations. Among these are team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities to automatically detect and quarantine day-zero cyber threats. Progent also offers the assistance of veteran ransomware recovery engineers with the track record and commitment to re-deploy a compromised network as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to unencrypt any of your information. Kaspersky estimated that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the essential parts of your Information Technology environment. Without the availability of complete system backups, this calls for a wide range of IT skills, professional project management, and the capability to work continuously until the recovery project is done.

For two decades, Progent has made available certified expert IT services for companies in Valencia and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise gives Progent the ability to quickly determine important systems and integrate the remaining pieces of your IT system following a ransomware penetration and configure them into an operational system.

Progent's ransomware team of experts has state-of-the-art project management tools to coordinate the complicated recovery process. Progent knows the importance of acting swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to put essential services back online as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Virus Recovery
A customer sought out Progent after their organization was penetrated by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting technology leaked from Americaís NSA organization. Ryuk targets specific organizations with little tolerance for operational disruption and is among the most lucrative instances of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago with around 500 workers. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and hoping for the best, but ultimately engaged Progent.


"I cannot say enough in regards to the expertise Progent gave us during the most critical time of (our) companyís life. We most likely would have paid the cyber criminals if not for the confidence the Progent team gave us. That you could get our e-mail and production servers back online faster than a week was something I thought impossible. Every single staff member I worked with or messaged at Progent was amazingly focused on getting us back on-line and was working at all hours on our behalf."

Progent worked with the client to quickly identify and prioritize the mission critical areas that had to be addressed to make it possible to resume departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To begin, Progent followed AV/Malware Processes event response best practices by halting the spread and cleaning up infected systems. Progent then started the steps of recovering Microsoft Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the customerís accounting and MRP system utilized SQL Server, which requires Active Directory for authentication to the information.

Within two days, Progent was able to restore Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery of the most important servers. All Microsoft Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers in order to recover mail messages. A recent off-line backup of the customerís accounting/ERP software made it possible to recover these vital applications back servicing users. Although major work remained to recover totally from the Ryuk event, core systems were restored quickly:


"For the most part, the manufacturing operation was never shut down and we made all customer orders."

Throughout the next month key milestones in the recovery project were completed in tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Server with over 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • 90% of the desktop computers were operational.

"Much of what was accomplished those first few days is mostly a blur for me, but we will not forget the countless hours each of you put in to help get our business back. I have entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a life saver."

Conclusion
A possible enterprise-killing catastrophe was evaded due to top-tier professionals, a broad spectrum of knowledge, and close teamwork. Although in post mortem the ransomware virus incident described here could have been identified and prevented with modern security solutions and recognized best practices, team training, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thanks very much for allowing me to get rested after we got past the initial fire. Everyone did an amazing effort, and if anyone is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Valencia a portfolio of online monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services utilize modern AI technology to uncover zero-day strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to automate the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's unique requirements and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate action. Progent's consultants can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates your backup processes and allows rapid restoration of vital data, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can provide world-class support to set up ProSight DPS to to comply with regulatory standards like HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver centralized management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local security gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, enhance and debug their connectivity appliances like routers, firewalls, and load balancers plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding appliances that need critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so all potential problems can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Read more about ProSight IT Asset Management service.
For Valencia 24-Hour Ransomware Removal Consultants, contact Progent at 800-993-9400 or go to Contact Progent.