Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses of all sizes poorly prepared for an attack. Versions of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict damage. Modern versions of ransomware like Ryuk and Hermes, plus frequent as yet unnamed newcomers, not only do encryption of on-line files but also infect all accessible system protection. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can make automatic restore operations hopeless and basically sets the datacenter back to zero.

Restoring applications and information following a ransomware event becomes a race against the clock as the targeted organization fights to stop the spread and cleanup the virus and to resume business-critical activity. Because crypto-ransomware needs time to move laterally, penetrations are frequently launched during nights and weekends, when successful attacks may take longer to detect. This multiplies the difficulty of quickly assembling and orchestrating a qualified response team.

Progent provides a range of help services for securing organizations from ransomware events. Among these are team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security gateways with AI capabilities to automatically discover and extinguish day-zero threats. Progent also can provide the assistance of experienced ransomware recovery consultants with the talent and commitment to restore a compromised network as soon as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not ensure that cyber hackers will return the keys to unencrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the mission-critical elements of your Information Technology environment. Absent the availability of full information backups, this requires a broad complement of skill sets, top notch team management, and the ability to work non-stop until the recovery project is over.

For decades, Progent has made available certified expert Information Technology services for businesses in Pleasanton and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience affords Progent the ability to efficiently determine critical systems and organize the remaining pieces of your network system after a ransomware event and rebuild them into an operational system.

Progent's security team of experts utilizes best of breed project management applications to orchestrate the complex restoration process. Progent appreciates the urgency of acting swiftly and in concert with a client's management and IT team members to prioritize tasks and to get key applications back on line as fast as possible.

Case Study: A Successful Ransomware Penetration Restoration
A small business engaged Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, possibly adopting techniques leaked from Americaís National Security Agency. Ryuk goes after specific businesses with little or no room for operational disruption and is among the most profitable iterations of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with about 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been on-line at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (more than $200K) and praying for good luck, but in the end utilized Progent.


"I canít speak enough about the help Progent gave us during the most fearful period of (our) companyís life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group afforded us. The fact that you could get our messaging and essential servers back sooner than 1 week was earth shattering. Every single expert I worked with or messaged at Progent was laser focused on getting us restored and was working non-stop to bail us out."

Progent worked with the client to quickly identify and assign priority to the mission critical systems that had to be restored to make it possible to resume business functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent followed ransomware event response industry best practices by isolating and cleaning systems of viruses. Progent then began the steps of rebuilding Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which needs Active Directory for authentication to the database.

Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then accomplished setup and hard drive recovery of the most important servers. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Off-Line Data Files) on staff workstations and laptops in order to recover mail data. A recent off-line backup of the businesses manufacturing software made them able to restore these required applications back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, core services were restored quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer deliverables."

During the following couple of weeks critical milestones in the restoration process were accomplished through tight cooperation between Progent team members and the client:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control functions were 100 percent functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the user PCs were back into operation.

"So much of what went on in the early hours is mostly a fog for me, but my team will not soon forget the dedication each and every one of you accomplished to help get our company back. Iíve been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A potential company-ending catastrophe was dodged with dedicated experts, a wide range of technical expertise, and tight teamwork. Although in post mortem the ransomware virus incident described here would have been identified and disabled with current cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and well thought out security procedures for data backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get some sleep after we made it through the most critical parts. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Pleasanton a range of online monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence capability to detect new strains of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to automate the complete threat lifecycle including blocking, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry data protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also help your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery. For a low monthly rate, ProSight DPS automates and monitors your backup processes and enables fast restoration of vital files, apps and VMs that have become lost or damaged due to component failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery consultants can provide world-class support to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to provide centralized management and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when issues are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding appliances that need important updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network running efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT personnel and your assigned Progent consultant so that any looming issues can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time spent searching for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Pleasanton 24-7 CryptoLocker Removal Services, reach out to Progent at 800-993-9400 or go to Contact Progent.