Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that presents an enterprise-level threat for organizations unprepared for an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still cause harm. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, plus daily as yet unnamed viruses, not only encrypt on-line critical data but also infect any available system backups. Information replicated to the cloud can also be ransomed. In a vulnerable data protection solution, this can make any recovery hopeless and effectively knocks the datacenter back to zero.

Getting back on-line applications and information following a ransomware intrusion becomes a race against time as the targeted organization tries its best to contain the damage and remove the crypto-ransomware and to restore business-critical activity. Because ransomware takes time to move laterally, assaults are often sprung on weekends, when attacks are likely to take more time to uncover. This compounds the difficulty of promptly marshalling and coordinating a capable response team.

Progent provides a range of services for securing enterprises from ransomware attacks. These include user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security appliances with artificial intelligence technology to quickly discover and quarantine day-zero threats. Progent also offers the assistance of expert ransomware recovery professionals with the track record and commitment to re-deploy a compromised network as urgently as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the keys to unencrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the essential parts of your IT environment. Absent access to essential system backups, this requires a broad complement of skill sets, well-coordinated project management, and the ability to work continuously until the recovery project is completed.

For decades, Progent has provided expert IT services for businesses in Beverly Hills and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise gives Progent the ability to quickly determine critical systems and re-organize the surviving parts of your Information Technology system following a ransomware event and assemble them into a functioning network.

Progent's security group uses best of breed project management applications to coordinate the complex recovery process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to get critical services back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A business engaged Progent after their organization was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly using techniques leaked from the United States National Security Agency. Ryuk attacks specific organizations with limited ability to sustain disruption and is one of the most profitable iterations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area and has about 500 employees. The Ryuk event had shut down all company operations and manufacturing capabilities. The majority of the client's backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but in the end brought in Progent.


"I canít thank you enough in regards to the care Progent provided us during the most fearful period of (our) businesses survival. We would have paid the cybercriminals if it wasnít for the confidence the Progent experts afforded us. That you could get our e-mail system and critical servers back into operation sooner than one week was amazing. Each expert I interacted with or messaged at Progent was amazingly focused on getting our company operational and was working all day and night on our behalf."

Progent worked together with the customer to quickly identify and assign priority to the critical elements that had to be recovered in order to resume departmental operations:

  • Active Directory
  • Electronic Mail
  • Accounting/MRP
To begin, Progent followed Anti-virus event mitigation best practices by stopping the spread and cleaning up infected systems. Progent then began the task of restoring Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the client's MRP system used SQL Server, which depends on Windows AD for authentication to the information.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then charged ahead with setup and storage recovery on mission critical applications. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find intact OST files (Outlook Offline Data Files) on team PCs to recover mail messages. A recent off-line backup of the businesses financials/MRP software made it possible to recover these vital services back available to users. Although major work was left to recover completely from the Ryuk attack, the most important systems were recovered rapidly:


"For the most part, the production operation ran fairly normal throughout and we produced all customer shipments."

Throughout the following month important milestones in the restoration process were completed in close cooperation between Progent consultants and the client:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Server exceeding four million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory capabilities were fully restored.
  • A new Palo Alto 850 security appliance was deployed.
  • Ninety percent of the desktops and laptops were functioning as before the incident.

"A huge amount of what occurred in the initial days is nearly entirely a haze for me, but we will not forget the urgency each of the team accomplished to give us our company back. I have utilized Progent for the past 10 years, maybe more, and every time Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A likely business-ending disaster was avoided due to top-tier experts, a broad array of technical expertise, and tight collaboration. Although in hindsight the ransomware penetration described here would have been disabled with modern cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for data backup and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for letting me get some sleep after we got through the initial fire. Everyone did an impressive effort, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Beverly Hills a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to detect new variants of crypto-ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to automate the complete threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge technologies packaged within one agent managed from a single console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your organization's specific requirements and that allows you prove compliance with legal and industry data protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates your backup processes and allows fast recovery of vital files, apps and VMs that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can provide world-class support to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FINRA, and PCI and, when needed, can assist you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security companies to deliver centralized management and comprehensive protection for all your email traffic. The powerful structure of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of analysis for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their connectivity hardware like switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating complex management and troubleshooting activities, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that need important software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your network running efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so any potential problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save up to 50% of time spent searching for vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour Beverly Hills Crypto Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.