Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that poses an enterprise-level threat for businesses poorly prepared for an attack. Different versions of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict harm. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with additional as yet unnamed malware, not only do encryption of online data files but also infect many available system restores and backups. Data synched to cloud environments can also be encrypted. In a poorly architected system, it can make automated restoration impossible and basically knocks the network back to zero.

Getting back applications and information after a crypto-ransomware attack becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the crypto-ransomware and to resume business-critical operations. Since crypto-ransomware requires time to spread, penetrations are frequently sprung on weekends and holidays, when successful penetrations typically take longer to uncover. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable response team.

Progent provides an assortment of services for protecting enterprises from crypto-ransomware attacks. These include team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with machine learning technology to intelligently detect and suppress day-zero cyber threats. Progent in addition offers the services of experienced ransomware recovery engineers with the skills and commitment to reconstruct a breached system as quickly as possible.

Progent's Crypto-Ransomware Restoration Services
After a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to decipher any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the key components of your IT environment. Without the availability of essential system backups, this requires a broad complement of IT skills, top notch project management, and the capability to work 24x7 until the job is completed.

For two decades, Progent has made available professional Information Technology services for businesses in Santa Rosa and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience provides Progent the skills to quickly determine necessary systems and integrate the surviving pieces of your IT system following a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts deploys state-of-the-art project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working swiftly and together with a customerís management and IT resources to prioritize tasks and to get critical services back online as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Restoration
A customer escalated to Progent after their network system was penetrated by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored criminal gangs, possibly adopting techniques exposed from Americaís National Security Agency. Ryuk seeks specific businesses with little ability to sustain operational disruption and is among the most profitable incarnations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in the Chicago metro area with around 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's system backups had been online at the time of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately called Progent.


"I canít tell you enough about the help Progent provided us throughout the most fearful time of (our) businesses life. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you could get our messaging and essential applications back into operation faster than 1 week was earth shattering. Every single expert I got help from or messaged at Progent was urgently focused on getting us operational and was working non-stop to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the mission critical systems that needed to be addressed in order to resume company operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware event mitigation industry best practices by stopping the spread and clearing infected systems. Progent then started the work of restoring Microsoft Active Directory, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businessesí financials and MRP applications used Microsoft SQL Server, which needs Active Directory services for authentication to the data.

Within 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery on the most important systems. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Offline Data Files) on team PCs to recover mail messages. A not too old off-line backup of the customerís financials/ERP software made it possible to recover these vital programs back available to users. Although a lot of work was left to recover totally from the Ryuk damage, critical systems were returned to operations rapidly:


"For the most part, the production line operation survived unscathed and we did not miss any customer orders."

Over the next couple of weeks key milestones in the restoration project were accomplished through close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto 850 firewall was set up.
  • Nearly all of the user workstations were functioning as before the incident.

"A lot of what happened those first few days is nearly entirely a haze for me, but my management will not forget the commitment all of you put in to help get our business back. I have entrusted Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A likely enterprise-killing disaster was averted due to results-oriented professionals, a broad spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware attack detailed here should have been identified and prevented with up-to-date cyber security technology solutions and NIST Cybersecurity Framework best practices, team training, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thank you for making it so I could get some sleep after we made it past the most critical parts. Everyone did an fabulous effort, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Santa Rosa a portfolio of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include modern artificial intelligence capability to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack progression including blocking, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you prove compliance with legal and industry data security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate action. Progent can also assist you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and allows rapid restoration of critical data, apps and virtual machines that have become lost or damaged due to component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to provide centralized control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of inspection for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and debug their connectivity appliances like switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and displays the configuration of almost all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex management processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding devices that need important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so that all potential problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Santa Rosa Crypto Repair Support Services, call Progent at 800-993-9400 or go to Contact Progent.