Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that presents an existential threat for organizations vulnerable to an attack. Versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause damage. Modern variants of ransomware like Ryuk and Hermes, plus daily as yet unnamed malware, not only do encryption of on-line data files but also infect most available system backup. Files synchronized to the cloud can also be rendered useless. In a poorly designed system, this can render automated restoration useless and effectively sets the network back to square one.

Recovering programs and data following a crypto-ransomware attack becomes a race against time as the targeted business fights to contain the damage and cleanup the ransomware and to restore business-critical activity. Because crypto-ransomware takes time to replicate, assaults are often sprung during nights and weekends, when attacks may take longer to identify. This compounds the difficulty of promptly marshalling and organizing a qualified mitigation team.

Progent has an assortment of services for securing businesses from ransomware events. Among these are team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence technology to intelligently identify and suppress zero-day threats. Progent also provides the services of veteran ransomware recovery professionals with the talent and commitment to reconstruct a breached environment as urgently as possible.

Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to decipher all your information. Kaspersky determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the essential parts of your IT environment. Without access to full system backups, this requires a wide complement of skill sets, well-coordinated team management, and the capability to work non-stop until the task is complete.

For twenty years, Progent has provided professional Information Technology services for companies in Akron and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand necessary systems and re-organize the remaining parts of your network environment following a ransomware penetration and rebuild them into a functioning network.

Progent's recovery team utilizes powerful project management applications to orchestrate the complicated restoration process. Progent appreciates the urgency of acting quickly and in unison with a client's management and IT resources to prioritize tasks and to get the most important services back on line as fast as possible.

Client Story: A Successful Ransomware Attack Restoration
A business sought out Progent after their network system was taken over by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk goes after specific organizations with little or no room for operational disruption and is one of the most lucrative instances of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with about 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been online at the start of the attack and were damaged. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot thank you enough in regards to the support Progent provided us during the most critical time of (our) businesses existence. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and essential applications back online in less than seven days was earth shattering. Each expert I interacted with or texted at Progent was absolutely committed on getting our system up and was working day and night to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the essential systems that had to be restored to make it possible to continue business operations:

  • Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To start, Progent adhered to Anti-virus incident mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the steps of bringing back online Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not function without Windows AD, and the customerís accounting and MRP system leveraged Microsoft SQL, which needs Windows AD for security authorization to the data.

Within 2 days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then performed setup and hard drive recovery of essential servers. All Exchange ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Folder Files) on various desktop computers to recover mail data. A not too old offline backup of the client's financials/ERP systems made it possible to return these essential applications back online for users. Although major work needed to be completed to recover totally from the Ryuk event, core services were returned to operations quickly:


"For the most part, the production operation ran fairly normal throughout and we produced all customer deliverables."

During the next few weeks key milestones in the recovery process were achieved through close cooperation between Progent team members and the customer:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server exceeding 4 million archived emails was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the desktop computers were being used by staff.

"Much of what was accomplished in the initial days is nearly entirely a fog for me, but our team will not forget the dedication all of the team accomplished to give us our business back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A possible business extinction catastrophe was averted with hard-working experts, a wide spectrum of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here should have been shut down with advanced cyber security technology solutions and recognized best practices, user education, and well designed security procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thank you for making it so I could get some sleep after we made it past the initial fire. All of you did an incredible effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Akron a range of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services utilize next-generation AI capability to detect zero-day variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to automate the complete threat progression including protection, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates your backup processes and allows fast restoration of vital data, applications and virtual machines that have become unavailable or corrupted due to component failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can deliver world-class support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security companies to deliver web-based management and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their connectivity appliances like switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating complex management activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that require important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management personnel and your Progent consultant so all potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Akron 24-7 Ransomware Remediation Consultants, contact Progent at 800-993-9400 or go to Contact Progent.