Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for organizations vulnerable to an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still cause harm. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus more as yet unnamed malware, not only encrypt online critical data but also infiltrate any accessible system restores and backups. Data replicated to the cloud can also be ransomed. In a vulnerable system, it can make automatic restore operations hopeless and basically sets the network back to square one.

Getting back online programs and information after a ransomware intrusion becomes a race against time as the victim struggles to contain and cleanup the ransomware and to resume business-critical activity. Because ransomware needs time to move laterally, attacks are often sprung on weekends, when penetrations typically take longer to recognize. This compounds the difficulty of quickly marshalling and coordinating a qualified response team.

Progent has a range of support services for securing enterprises from crypto-ransomware attacks. These include team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with artificial intelligence technology to quickly identify and extinguish day-zero threats. Progent also offers the services of veteran crypto-ransomware recovery professionals with the track record and perseverance to restore a compromised network as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the vital parts of your IT environment. Without the availability of complete information backups, this requires a broad range of skills, top notch project management, and the capability to work 24x7 until the recovery project is over.

For twenty years, Progent has offered certified expert Information Technology services for companies in Petaluma and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience affords Progent the capability to quickly ascertain critical systems and re-organize the surviving components of your IT environment following a crypto-ransomware event and assemble them into a functioning system.

Progent's recovery team of experts utilizes state-of-the-art project management systems to coordinate the complex restoration process. Progent understands the urgency of acting quickly and together with a customerís management and IT staff to prioritize tasks and to get essential services back on line as soon as humanly possible.

Client Case Study: A Successful Ransomware Incident Response
A business engaged Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored cybercriminals, possibly adopting techniques leaked from the U.S. National Security Agency. Ryuk targets specific businesses with limited room for disruption and is among the most profitable incarnations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the attack and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and praying for good luck, but ultimately made the decision to use Progent.


"I canít speak enough about the help Progent gave us during the most stressful period of (our) companyís survival. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts provided us. The fact that you could get our messaging and key servers back online sooner than one week was something I thought impossible. Each expert I spoke to or e-mailed at Progent was hell bent on getting us back on-line and was working breakneck pace to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the essential systems that had to be recovered to make it possible to restart company operations:

  • Active Directory
  • Exchange Server
  • MRP System
To get going, Progent followed Anti-virus incident mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the work of bringing back online Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Exchange email will not function without Active Directory, and the businessesí accounting and MRP system utilized Microsoft SQL, which needs Active Directory services for security authorization to the data.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then assisted with setup and hard drive recovery of key applications. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Offline Data Files) on various PCs in order to recover mail messages. A recent offline backup of the customerís accounting/MRP software made it possible to return these vital applications back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk damage, critical systems were recovered quickly:


"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer orders."

During the next few weeks important milestones in the restoration project were achieved in close collaboration between Progent consultants and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Exchange Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the user PCs were functioning as before the incident.

"Much of what was accomplished that first week is mostly a fog for me, but I will not forget the dedication each of your team accomplished to give us our business back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This situation was a life saver."

Conclusion
A potential business-killing disaster was evaded with dedicated professionals, a broad array of subject matter expertise, and tight teamwork. Although in post mortem the ransomware virus penetration detailed here should have been identified and prevented with advanced cyber security technology and security best practices, team training, and appropriate security procedures for information backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we made it through the initial push. All of you did an incredible effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Petaluma a portfolio of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to uncover new variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to manage the complete threat lifecycle including filtering, detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device control, and web filtering through leading-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with government and industry data protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent's consultants can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates your backup processes and allows rapid restoration of critical files, apps and virtual machines that have become unavailable or damaged due to component failures, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to deliver centralized management and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This reduces your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further layer of inspection for incoming email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, optimize and debug their connectivity hardware such as routers, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network maps are always current, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management processes, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system running efficiently by checking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT staff and your Progent engineering consultant so all potential issues can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For 24x7 Petaluma Crypto-Ransomware Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.