Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses poorly prepared for an attack. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as frequent as yet unnamed malware, not only do encryption of online data but also infiltrate any accessible system restores and backups. Data synched to cloud environments can also be rendered useless. In a poorly designed system, it can make automated recovery useless and basically knocks the network back to square one.

Retrieving applications and data following a ransomware intrusion becomes a race against time as the targeted business struggles to contain the damage and remove the crypto-ransomware and to resume mission-critical operations. Because ransomware requires time to spread, penetrations are often sprung at night, when penetrations typically take longer to discover. This compounds the difficulty of promptly mobilizing and organizing a capable mitigation team.

Progent makes available a variety of help services for securing enterprises from crypto-ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with machine learning technology to intelligently detect and quarantine new cyber attacks. Progent in addition can provide the services of expert ransomware recovery engineers with the talent and perseverance to restore a breached system as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the codes to decrypt any or all of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the key elements of your Information Technology environment. Absent access to essential information backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work non-stop until the task is completed.

For twenty years, Progent has provided certified expert IT services for companies in Carlsbad and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise affords Progent the capability to rapidly determine critical systems and integrate the surviving parts of your computer network system after a crypto-ransomware attack and assemble them into an operational network.

Progent's ransomware group utilizes top notch project management applications to orchestrate the sophisticated restoration process. Progent understands the urgency of working rapidly and in concert with a customerís management and Information Technology resources to prioritize tasks and to get the most important systems back on-line as soon as possible.

Case Study: A Successful Ransomware Attack Recovery
A client engaged Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state cybercriminals, suspected of adopting techniques exposed from the United States National Security Agency. Ryuk goes after specific companies with little ability to sustain disruption and is among the most lucrative versions of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but ultimately brought in Progent.


"I canít tell you enough in regards to the care Progent gave us throughout the most fearful period of (our) companyís life. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and important applications back on-line quicker than a week was something I thought impossible. Every single person I spoke to or e-mailed at Progent was absolutely committed on getting us restored and was working non-stop to bail us out."

Progent worked together with the client to rapidly assess and prioritize the mission critical areas that had to be restored to make it possible to resume departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent followed Anti-virus penetration response best practices by halting lateral movement and cleaning up infected systems. Progent then began the process of recovering Microsoft AD, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the client's MRP applications utilized Microsoft SQL Server, which needs Active Directory for authentication to the databases.

In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on key applications. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user PCs and laptops to recover email data. A not too old off-line backup of the businesses accounting/ERP systems made it possible to return these essential programs back servicing users. Although significant work still had to be done to recover fully from the Ryuk damage, the most important systems were restored quickly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer sales."

Throughout the following couple of weeks critical milestones in the restoration project were achieved through tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Exchange Server containing more than four million historical emails was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully restored.
  • A new Palo Alto 850 firewall was set up.
  • Most of the desktops and laptops were back into operation.

"Much of what transpired in the early hours is mostly a haze for me, but we will not forget the care each of the team put in to help get our company back. I have been working together with Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was the most impressive ever."

Conclusion
A likely business-ending catastrophe was evaded through the efforts of top-tier experts, a wide array of knowledge, and close teamwork. Although in retrospect the ransomware incident described here could have been prevented with advanced cyber security technology solutions and ISO/IEC 27001 best practices, team training, and well thought out security procedures for backup and applying software patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has proven experience in ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for letting me get rested after we got through the initial push. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Carlsbad a range of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence technology to detect zero-day variants of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including blocking, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of critical data, apps and VMs that have become lost or corrupted as a result of hardware failures, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can deliver world-class expertise to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security companies to provide centralized management and world-class security for all your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, enhance and debug their networking appliances like switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating complex network management processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding devices that need critical software patches, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so that any looming problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate up to half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Carlsbad CryptoLocker Cleanup Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.