Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for businesses vulnerable to an assault. Versions of crypto-ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict havoc. Modern variants of ransomware like Ryuk and Hermes, plus additional as yet unnamed malware, not only encrypt on-line data files but also infiltrate any configured system protection mechanisms. Information replicated to cloud environments can also be corrupted. In a vulnerable data protection solution, this can render automatic restore operations useless and basically sets the network back to zero.

Recovering services and data after a crypto-ransomware attack becomes a sprint against time as the targeted organization fights to contain the damage and remove the ransomware and to resume business-critical operations. Because crypto-ransomware needs time to replicate, penetrations are usually launched on weekends and holidays, when attacks in many cases take more time to notice. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.

Progent offers an assortment of solutions for protecting businesses from ransomware penetrations. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with artificial intelligence technology to rapidly discover and extinguish zero-day threats. Progent also offers the assistance of experienced ransomware recovery engineers with the skills and perseverance to rebuild a breached network as soon as possible.

Progent's Ransomware Restoration Help
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the needed codes to decrypt any of your files. Kaspersky determined that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the vital components of your IT environment. Absent access to complete information backups, this requires a wide complement of IT skills, top notch project management, and the capability to work non-stop until the task is done.

For twenty years, Progent has provided certified expert Information Technology services for companies in Sacramento and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience affords Progent the capability to efficiently understand important systems and re-organize the surviving parts of your network system after a ransomware penetration and assemble them into an operational system.

Progent's recovery team of experts deploys state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of working rapidly and in unison with a client's management and Information Technology team members to prioritize tasks and to put the most important services back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Response
A customer engaged Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state sponsored criminal gangs, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk targets specific businesses with limited ability to sustain operational disruption and is among the most profitable instances of ransomware viruses. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with around 500 workers. The Ryuk event had frozen all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and praying for the best, but in the end brought in Progent.


"I canít tell you enough in regards to the support Progent provided us during the most fearful period of (our) businesses life. We would have paid the cybercriminals except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and production applications back online in less than a week was amazing. Each expert I worked with or communicated with at Progent was hell bent on getting us operational and was working 24/7 on our behalf."

Progent worked with the customer to rapidly assess and prioritize the mission critical areas that had to be restored to make it possible to continue business operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes incident response best practices by isolating and removing active viruses. Progent then initiated the process of recovering Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí financials and MRP applications utilized SQL Server, which requires Windows AD for access to the databases.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then performed setup and storage recovery of needed systems. All Microsoft Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find local OST files (Outlook Off-Line Folder Files) on user PCs and laptops in order to recover mail data. A recent off-line backup of the customerís manufacturing systems made them able to return these required services back servicing users. Although major work needed to be completed to recover completely from the Ryuk attack, the most important systems were restored rapidly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer deliverables."

During the following few weeks key milestones in the recovery process were completed in tight cooperation between Progent engineers and the client:

  • Internal web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100% recovered.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the desktop computers were operational.

"So much of what occurred those first few days is nearly entirely a blur for me, but my management will not soon forget the commitment all of the team accomplished to help get our business back. I have utilized Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A likely business catastrophe was avoided by results-oriented experts, a broad range of IT skills, and close teamwork. Although upon completion of forensics the ransomware penetration detailed here would have been prevented with current security technology solutions and recognized best practices, staff education, and properly executed security procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get some sleep after we made it past the first week. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Sacramento a variety of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate modern machine learning technology to uncover zero-day strains of crypto-ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to automate the complete threat lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent action. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid recovery of critical data, apps and VMs that have become lost or corrupted as a result of component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR specialists can provide world-class expertise to configure ProSight DPS to be compliant with regulatory standards such as HIPPA, FIRPA, and PCI and, when needed, can help you to recover your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to provide web-based management and world-class protection for all your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, enhance and debug their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network diagrams are kept current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating tedious management activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, finding devices that need important software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all looming problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about ProSight IT Asset Management service.
For Sacramento 24-Hour Crypto-Ransomware Remediation Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.