Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an existential danger for businesses of all sizes unprepared for an attack. Versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to cause damage. Recent variants of crypto-ransomware such as Ryuk and Hermes, plus additional as yet unnamed viruses, not only do encryption of on-line data but also infect any configured system backups. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can render automated restore operations hopeless and effectively sets the entire system back to square one.

Getting back on-line services and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and cleanup the ransomware and to restore business-critical activity. Since ransomware requires time to spread, assaults are often launched at night, when penetrations in many cases take longer to notice. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent has a variety of help services for securing enterprises from ransomware penetrations. Among these are user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with machine learning technology to intelligently detect and suppress new cyber threats. Progent in addition offers the assistance of expert ransomware recovery consultants with the skills and perseverance to restore a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decipher any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the mission-critical elements of your IT environment. Absent access to essential information backups, this calls for a broad complement of skill sets, professional project management, and the capability to work 24x7 until the job is over.

For twenty years, Progent has offered expert IT services for businesses in Sacramento and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience affords Progent the capability to efficiently understand necessary systems and organize the surviving parts of your IT environment after a ransomware event and configure them into an operational system.

Progent's recovery team of experts uses state-of-the-art project management tools to coordinate the complicated recovery process. Progent understands the importance of working rapidly and in concert with a customerís management and Information Technology team members to prioritize tasks and to put key services back online as fast as possible.

Customer Story: A Successful Ransomware Intrusion Response
A client contacted Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, possibly using algorithms exposed from the U.S. NSA organization. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative examples of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the time of the attack and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but ultimately engaged Progent.


"I canít thank you enough about the care Progent gave us throughout the most stressful period of (our) companyís life. We most likely would have paid the Hackers except for the confidence the Progent team afforded us. That you were able to get our messaging and important servers back faster than a week was amazing. Every single consultant I interacted with or messaged at Progent was amazingly focused on getting us working again and was working breakneck pace to bail us out."

Progent worked with the customer to rapidly understand and assign priority to the key areas that had to be addressed to make it possible to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent followed ransomware event response best practices by stopping the spread and removing active viruses. Progent then began the work of restoring Windows Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the customerís financials and MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the databases.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery of essential servers. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Data Files) on team workstations and laptops in order to recover email data. A recent off-line backup of the customerís accounting/ERP software made it possible to return these required services back online for users. Although significant work remained to recover completely from the Ryuk damage, core services were recovered rapidly:


"For the most part, the assembly line operation never missed a beat and we produced all customer deliverables."

During the next couple of weeks critical milestones in the restoration project were made in close collaboration between Progent team members and the client:

  • Internal web applications were restored with no loss of data.
  • The MailStore Server exceeding four million archived messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the desktops and laptops were back into operation.

"Much of what happened in the initial days is mostly a haze for me, but my team will not forget the care each of you put in to help get our business back. Iíve utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A probable business extinction catastrophe was avoided through the efforts of dedicated experts, a broad spectrum of IT skills, and close collaboration. Although in post mortem the ransomware virus attack described here should have been blocked with up-to-date security technology and best practices, staff education, and properly executed incident response procedures for data protection and proper patching controls, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of experts has a proven track record in crypto-ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for allowing me to get rested after we got past the initial fire. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Sacramento a variety of online monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence capability to uncover new variants of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including filtering, detection, mitigation, remediation, and forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates your backup activities and enables rapid restoration of vital files, applications and VMs that have become unavailable or corrupted due to hardware failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's BDR specialists can provide advanced support to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security vendors to provide centralized management and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, track, enhance and troubleshoot their connectivity appliances like routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming management processes, WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding devices that require critical software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT staff and your assigned Progent consultant so any looming issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hosting environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24/7 Sacramento Crypto Repair Services, call Progent at 800-993-9400 or go to Contact Progent.