Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict havoc. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as additional unnamed newcomers, not only encrypt online data files but also infiltrate all available system backup. Files synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can render automated recovery useless and basically knocks the network back to zero.

Retrieving applications and data after a ransomware intrusion becomes a race against the clock as the targeted organization tries its best to stop the spread and remove the crypto-ransomware and to resume business-critical activity. Because ransomware requires time to move laterally, attacks are frequently launched during weekends and nights, when penetrations in many cases take longer to identify. This compounds the difficulty of promptly mobilizing and coordinating an experienced response team.

Progent offers an assortment of solutions for protecting organizations from ransomware penetrations. These include team member training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security gateways with machine learning capabilities to quickly detect and extinguish new threats. Progent in addition offers the assistance of experienced ransomware recovery engineers with the talent and perseverance to restore a breached network as rapidly as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to decipher any of your data. Kaspersky determined that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Absent the availability of essential information backups, this requires a broad range of skill sets, top notch project management, and the capability to work non-stop until the task is complete.

For twenty years, Progent has made available certified expert Information Technology services for companies in Sacramento and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience provides Progent the ability to knowledgably determine important systems and consolidate the remaining pieces of your Information Technology environment following a ransomware event and configure them into an operational system.

Progent's security team of experts utilizes state-of-the-art project management applications to coordinate the complex recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and IT resources to prioritize tasks and to put essential systems back on line as soon as possible.

Client Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer sought out Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean government sponsored hackers, suspected of adopting algorithms exposed from the U.S. National Security Agency. Ryuk targets specific businesses with little or no tolerance for disruption and is among the most profitable examples of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of $200K) and hoping for the best, but ultimately brought in Progent.


"I canít speak enough in regards to the expertise Progent gave us throughout the most fearful time of (our) companyís life. We may have had to pay the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and critical applications back online in less than five days was earth shattering. Every single staff member I talked with or e-mailed at Progent was laser focused on getting us restored and was working at all hours to bail us out."

Progent worked hand in hand the customer to quickly assess and prioritize the critical areas that had to be addressed in order to restart business functions:

  • Active Directory (AD)
  • Email
  • MRP System
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by halting the spread and removing active viruses. Progent then began the task of restoring Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the businessesí accounting and MRP applications utilized Microsoft SQL Server, which requires Windows AD for access to the information.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery of essential servers. All Exchange ties and attributes were usable, which accelerated the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops to recover email messages. A not too old off-line backup of the businesses accounting systems made them able to return these required services back online. Although a large amount of work needed to be completed to recover totally from the Ryuk event, the most important services were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer shipments."

Over the next few weeks critical milestones in the recovery project were completed in close cooperation between Progent team members and the customer:

  • Self-hosted web sites were returned to operation with no loss of information.
  • The MailStore Server containing more than 4 million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent restored.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the desktops and laptops were fully operational.

"So much of what happened during the initial response is nearly entirely a blur for me, but my team will not soon forget the commitment each of you put in to help get our company back. I have utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A possible business extinction disaster was averted by hard-working professionals, a wide range of subject matter expertise, and close collaboration. Although in post mortem the ransomware virus penetration described here could have been disabled with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, staff training, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has substantial experience in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for letting me get some sleep after we made it over the initial push. All of you did an impressive effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Sacramento a range of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover zero-day strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to manage the complete threat progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies incorporated within one agent managed from a unified control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of vital files, applications and VMs that have become lost or damaged due to hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or to both. Progent's BDR consultants can deliver world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to provide web-based control and comprehensive security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of inspection for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, locating appliances that require important updates, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the health of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT personnel and your Progent engineering consultant so that any looming problems can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can save up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Sacramento 24/7 Ransomware Remediation Help, call Progent at 800-993-9400 or go to Contact Progent.