Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that represents an existential threat for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict destruction. Modern versions of ransomware such as Ryuk and Hermes, along with more as yet unnamed viruses, not only encrypt on-line information but also infect any accessible system protection. Data replicated to the cloud can also be encrypted. In a vulnerable system, it can render automatic restore operations useless and basically sets the entire system back to square one.

Recovering programs and information after a ransomware outage becomes a sprint against time as the targeted organization tries its best to stop lateral movement and clear the crypto-ransomware and to resume enterprise-critical activity. Since ransomware needs time to spread, penetrations are frequently launched during weekends and nights, when penetrations typically take more time to notice. This compounds the difficulty of promptly marshalling and orchestrating a capable response team.

Progent has a variety of help services for securing enterprises from crypto-ransomware attacks. Among these are staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with AI technology to quickly identify and disable new cyber threats. Progent in addition provides the services of experienced ransomware recovery consultants with the skills and commitment to restore a breached environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware penetration, sending the ransom in cryptocurrency does not guarantee that criminal gangs will return the codes to decrypt any of your files. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the key elements of your IT environment. Without the availability of full information backups, this calls for a broad complement of IT skills, well-coordinated team management, and the capability to work non-stop until the task is finished.

For decades, Progent has offered expert IT services for companies in Beverly Hills and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise affords Progent the ability to quickly determine critical systems and re-organize the surviving parts of your network environment after a ransomware event and rebuild them into a functioning system.

Progent's ransomware team deploys best of breed project management systems to orchestrate the complicated restoration process. Progent understands the urgency of acting swiftly and together with a client's management and Information Technology staff to assign priority to tasks and to put essential systems back on line as soon as possible.

Client Case Study: A Successful Ransomware Incident Response
A customer contacted Progent after their company was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state criminal gangs, possibly adopting strategies leaked from the United States National Security Agency. Ryuk attacks specific organizations with limited tolerance for operational disruption and is one of the most profitable instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200K) and hoping for the best, but ultimately made the decision to use Progent.


"I canít speak enough in regards to the expertise Progent gave us throughout the most critical period of (our) businesses survival. We most likely would have paid the Hackers if it wasnít for the confidence the Progent team gave us. That you could get our messaging and key applications back in less than five days was earth shattering. Each staff member I worked with or texted at Progent was hell bent on getting us back online and was working 24/7 on our behalf."

Progent worked together with the customer to quickly identify and assign priority to the critical areas that had to be restored in order to resume business functions:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to Anti-virus incident response best practices by halting the spread and cleaning up infected systems. Progent then initiated the process of restoring Microsoft AD, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís MRP software leveraged SQL Server, which depends on Active Directory for authentication to the databases.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery on needed servers. All Exchange data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops to recover email messages. A not too old off-line backup of the businesses financials/MRP software made it possible to restore these required services back available to users. Although a large amount of work was left to recover totally from the Ryuk damage, core services were returned to operations rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer shipments."

Over the next few weeks key milestones in the restoration process were accomplished through tight cooperation between Progent team members and the client:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control functions were fully restored.
  • A new Palo Alto 850 firewall was set up.
  • 90% of the user workstations were being used by staff.

"Much of what went on those first few days is mostly a haze for me, but our team will not forget the care all of you accomplished to give us our company back. I have been working together with Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered. This event was a Herculean accomplishment."

Conclusion
A likely business disaster was avoided through the efforts of results-oriented professionals, a wide spectrum of technical expertise, and tight collaboration. Although in hindsight the ransomware virus penetration detailed here could have been disabled with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, team education, and properly executed security procedures for information backup and applying software patches, the reality is that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get rested after we made it through the most critical parts. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Beverly Hills a range of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services utilize next-generation AI capability to detect new variants of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to manage the entire threat lifecycle including protection, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your company's specific needs and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent action. Progent can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup activities and enables rapid restoration of critical files, apps and virtual machines that have become lost or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR consultants can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can help you to recover your business-critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to provide centralized management and comprehensive security for all your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding devices that require critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT staff and your Progent consultant so all potential problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save up to 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Beverly Hills Ransomware Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.