Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations vulnerable to an assault. Different versions of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict destruction. More recent versions of ransomware like Ryuk and Hermes, along with daily as yet unnamed viruses, not only encrypt on-line data but also infect any configured system backups. Files synched to the cloud can also be ransomed. In a poorly architected system, it can make automated restore operations hopeless and basically knocks the datacenter back to square one.

Retrieving services and information following a ransomware attack becomes a race against the clock as the targeted organization fights to contain the damage and remove the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware requires time to replicate, assaults are usually launched during nights and weekends, when successful penetrations may take more time to recognize. This compounds the difficulty of rapidly mobilizing and organizing an experienced mitigation team.

Progent provides an assortment of services for securing businesses from ransomware attacks. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security appliances with machine learning capabilities to automatically identify and suppress day-zero threats. Progent also offers the assistance of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a compromised system as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to decrypt any of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the key elements of your Information Technology environment. Absent the availability of complete data backups, this requires a broad range of skill sets, professional team management, and the ability to work non-stop until the job is over.

For two decades, Progent has made available expert Information Technology services for companies in San Jose and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience provides Progent the capability to knowledgably understand important systems and re-organize the remaining pieces of your Information Technology environment after a ransomware event and rebuild them into a functioning system.

Progent's recovery team utilizes best of breed project management tools to orchestrate the sophisticated restoration process. Progent appreciates the importance of working swiftly and together with a client's management and IT resources to prioritize tasks and to get key services back on-line as soon as humanly possible.

Client Case Study: A Successful Ransomware Virus Response
A customer engaged Progent after their network was penetrated by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored criminal gangs, possibly adopting techniques leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no tolerance for operational disruption and is one of the most profitable iterations of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200K) and praying for the best, but ultimately utilized Progent.


"I cannot speak enough in regards to the support Progent gave us during the most critical time of (our) businesses survival. We would have paid the criminal gangs if it wasnít for the confidence the Progent experts afforded us. That you were able to get our e-mail system and critical applications back faster than 1 week was incredible. Each consultant I worked with or messaged at Progent was amazingly focused on getting our system up and was working all day and night on our behalf."

Progent worked with the client to quickly assess and assign priority to the key applications that had to be restored to make it possible to resume departmental functions:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting/MRP
To begin, Progent adhered to ransomware incident mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then started the process of restoring Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the client's MRP system utilized Microsoft SQL, which requires Active Directory for access to the databases.

Within 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery on key servers. All Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover email messages. A recent off-line backup of the businesses manufacturing software made it possible to restore these essential programs back online. Although a lot of work needed to be completed to recover completely from the Ryuk event, the most important systems were restored rapidly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."

Over the following month important milestones in the restoration process were made through close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully functional.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Ninety percent of the desktops and laptops were back into operation.

"So much of what occurred in the initial days is mostly a fog for me, but our team will not soon forget the dedication all of you accomplished to help get our business back. I have been working together with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This event was a life saver."

Conclusion
A probable business extinction catastrophe was averted by top-tier professionals, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware penetration detailed here could have been disabled with advanced cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and appropriate security procedures for backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has substantial experience in ransomware virus blocking, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we made it through the most critical parts. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in San Jose a range of remote monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services incorporate modern artificial intelligence capability to uncover new strains of crypto-ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to address the complete threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent's consultants can also help your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates your backup activities and enables fast recovery of critical files, applications and virtual machines that have become unavailable or damaged due to component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight DPS to be compliant with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to deliver centralized control and world-class security for your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, optimize and troubleshoot their connectivity appliances like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, locating appliances that require important updates, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by tracking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so that any looming problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can eliminate as much as half of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 San Jose Crypto Recovery Consulting, call Progent at 800-993-9400 or go to Contact Progent.