Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses of all sizes unprepared for an attack. Versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. Modern strains of ransomware like Ryuk and Hermes, as well as frequent as yet unnamed malware, not only do encryption of online critical data but also infect any accessible system restores and backups. Files replicated to the cloud can also be rendered useless. In a poorly designed system, this can make automatic restoration hopeless and basically sets the entire system back to square one.

Retrieving services and data following a crypto-ransomware event becomes a sprint against the clock as the targeted organization fights to stop lateral movement and remove the ransomware and to resume mission-critical operations. Since ransomware takes time to move laterally, attacks are frequently sprung at night, when attacks in many cases take more time to notice. This compounds the difficulty of quickly marshalling and orchestrating a capable response team.

Progent offers a range of solutions for protecting businesses from ransomware events. Among these are team education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with AI capabilities to rapidly detect and suppress zero-day threats. Progent also can provide the assistance of experienced ransomware recovery consultants with the talent and commitment to rebuild a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed keys to decipher all your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the mission-critical components of your IT environment. Absent access to essential information backups, this calls for a wide range of skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is completed.

For twenty years, Progent has provided expert IT services for companies in Palo Alto and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of experience provides Progent the ability to efficiently determine important systems and consolidate the remaining parts of your network environment after a ransomware attack and configure them into a functioning system.

Progent's ransomware team has state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and in unison with a customerís management and IT staff to assign priority to tasks and to put the most important applications back on line as fast as possible.

Customer Case Study: A Successful Ransomware Penetration Response
A business hired Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored cybercriminals, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk attacks specific companies with limited tolerance for operational disruption and is among the most lucrative incarnations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with around 500 employees. The Ryuk penetration had shut down all business operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and hoping for the best, but ultimately engaged Progent.


"I canít say enough in regards to the support Progent provided us throughout the most stressful time of (our) companyís existence. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent team gave us. That you were able to get our e-mail system and production applications back sooner than 1 week was incredible. Every single expert I spoke to or communicated with at Progent was laser focused on getting us working again and was working non-stop to bail us out."

Progent worked together with the client to quickly get our arms around and prioritize the key applications that had to be recovered to make it possible to resume departmental operations:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the work of recovering Microsoft AD, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without AD, and the businessesí financials and MRP system used Microsoft SQL Server, which depends on Active Directory for security authorization to the database.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then initiated reinstallations and storage recovery on mission critical systems. All Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to collect local OST data files (Outlook Email Offline Folder Files) on various PCs and laptops in order to recover email information. A not too old off-line backup of the customerís accounting/MRP systems made them able to return these required applications back servicing users. Although significant work was left to recover fully from the Ryuk event, essential services were restored rapidly:


"For the most part, the production operation ran fairly normal throughout and we made all customer orders."

Over the following couple of weeks important milestones in the restoration process were completed through tight cooperation between Progent consultants and the customer:

  • Internal web sites were restored without losing any information.
  • The MailStore Server containing more than four million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the user desktops and notebooks were operational.

"So much of what happened in the initial days is mostly a haze for me, but we will not forget the countless hours each and every one of the team put in to give us our business back. I have been working together with Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."

Conclusion
A likely business-ending catastrophe was dodged by top-tier professionals, a wide array of IT skills, and close collaboration. Although in retrospect the ransomware virus penetration described here could have been shut down with current cyber security solutions and security best practices, staff education, and properly executed security procedures for data backup and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of experts has substantial experience in ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for making it so I could get rested after we got through the most critical parts. All of you did an amazing effort, and if anyone is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Palo Alto a variety of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services include modern AI technology to uncover new strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the complete threat progression including filtering, detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single control. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also assist your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of vital files, applications and VMs that have become unavailable or damaged as a result of hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced expertise to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your business-critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to deliver centralized control and comprehensive security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of inspection for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map, monitor, optimize and debug their connectivity hardware such as switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration information of virtually all devices on your network, monitors performance, and sends alerts when issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that need critical updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so all potential problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and organizing your IT documentation, you can save as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Palo Alto 24-7 Ransomware Repair Services, call Progent at 800-993-9400 or go to Contact Progent.