Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an extinction-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict havoc. Newer variants of ransomware like Ryuk and Hermes, plus more unnamed viruses, not only encrypt on-line information but also infiltrate all accessible system protection mechanisms. Files replicated to the cloud can also be ransomed. In a poorly designed system, this can render automated restore operations impossible and effectively knocks the entire system back to square one.

Getting back online services and information after a ransomware intrusion becomes a race against time as the targeted organization fights to stop the spread and eradicate the crypto-ransomware and to resume enterprise-critical activity. Since ransomware needs time to replicate, penetrations are frequently sprung on weekends, when successful penetrations in many cases take more time to notice. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable mitigation team.

Progent has a range of solutions for securing enterprises from crypto-ransomware events. Among these are staff education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning capabilities to intelligently identify and disable day-zero threats. Progent also offers the assistance of veteran ransomware recovery engineers with the skills and perseverance to restore a breached system as soon as possible.

Progent's Ransomware Recovery Help
Following a ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will return the keys to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to setup from scratch the vital elements of your Information Technology environment. Without the availability of full system backups, this calls for a wide complement of skill sets, top notch project management, and the capability to work 24x7 until the recovery project is complete.

For twenty years, Progent has made available certified expert Information Technology services for companies in Manhattan Beach and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience provides Progent the skills to knowledgably understand important systems and organize the remaining pieces of your network environment after a ransomware event and rebuild them into an operational network.

Progent's security group deploys powerful project management tools to orchestrate the sophisticated restoration process. Progent knows the importance of working rapidly and together with a client's management and IT staff to assign priority to tasks and to get the most important applications back on-line as soon as humanly possible.

Customer Story: A Successful Crypto-Ransomware Attack Restoration
A small business hired Progent after their company was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state cybercriminals, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little or no room for disruption and is one of the most profitable iterations of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 workers. The Ryuk event had brought down all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (in excess of $200K) and praying for good luck, but in the end engaged Progent.


"I cannot tell you enough about the care Progent provided us during the most stressful time of (our) companyís survival. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent team gave us. That you could get our messaging and important applications back online quicker than five days was earth shattering. Every single consultant I talked with or texted at Progent was absolutely committed on getting our system up and was working 24/7 to bail us out."

Progent worked with the customer to rapidly understand and assign priority to the critical systems that had to be addressed to make it possible to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and removing active viruses. Progent then started the process of restoring Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's financials and MRP software used Microsoft SQL, which requires Active Directory services for access to the databases.

Within two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with setup and storage recovery on critical systems. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Offline Data Files) on various workstations and laptops in order to recover email information. A recent off-line backup of the businesses financials/MRP software made it possible to return these essential applications back available to users. Although major work remained to recover fully from the Ryuk damage, critical services were returned to operations quickly:


"For the most part, the production line operation showed little impact and we delivered all customer sales."

Throughout the following few weeks key milestones in the restoration process were achieved through close cooperation between Progent consultants and the client:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were fully recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user desktops were back into operation.

"So much of what transpired in the initial days is nearly entirely a haze for me, but my management will not soon forget the commitment each of the team accomplished to give us our company back. I have utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A likely business-killing disaster was avoided with dedicated professionals, a broad array of knowledge, and close teamwork. Although in hindsight the crypto-ransomware virus incident detailed here should have been identified and prevented with modern cyber security solutions and security best practices, user training, and well thought out security procedures for data backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has substantial experience in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get some sleep after we made it through the initial fire. Everyone did an amazing effort, and if anyone is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Manhattan Beach a variety of online monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect new strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to manage the complete threat lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that meets your company's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also assist your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates your backup processes and enables fast recovery of vital data, applications and virtual machines that have become unavailable or damaged as a result of hardware failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, whenever needed, can assist you to recover your business-critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to provide web-based management and world-class protection for your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding appliances that need important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent consultant so that any potential problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Manhattan Beach Crypto-Ransomware Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.