Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses poorly prepared for an assault. Versions of ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict damage. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with more unnamed newcomers, not only do encryption of on-line data files but also infect all configured system restores and backups. Files synchronized to the cloud can also be encrypted. In a poorly designed data protection solution, this can make automated restore operations useless and effectively sets the datacenter back to square one.

Recovering programs and information after a ransomware intrusion becomes a race against time as the targeted organization fights to contain and eradicate the virus and to resume enterprise-critical operations. Since ransomware needs time to replicate, assaults are usually sprung on weekends, when successful penetrations in many cases take more time to discover. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.

Progent makes available a range of solutions for securing organizations from crypto-ransomware attacks. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with machine learning technology to quickly discover and disable day-zero cyber threats. Progent also can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to restore a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
Following a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the needed keys to decipher any of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the key parts of your IT environment. Absent the availability of essential system backups, this calls for a wide complement of skills, top notch project management, and the willingness to work 24x7 until the recovery project is over.

For decades, Progent has offered professional Information Technology services for companies in Atlanta and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to efficiently understand important systems and re-organize the remaining parts of your Information Technology environment following a crypto-ransomware attack and assemble them into an operational system.

Progent's ransomware team has state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of acting swiftly and together with a customerís management and Information Technology staff to assign priority to tasks and to put key systems back on line as fast as possible.

Client Story: A Successful Ransomware Attack Recovery
A client escalated to Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, suspected of adopting technology leaked from the United States NSA organization. Ryuk attacks specific companies with little room for operational disruption and is one of the most profitable instances of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing processes. The majority of the client's backups had been directly accessible at the beginning of the attack and were encrypted. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.


"I canít speak enough about the help Progent gave us throughout the most critical time of (our) companyís existence. We would have paid the criminal gangs if not for the confidence the Progent group gave us. That you were able to get our messaging and critical servers back quicker than one week was something I thought impossible. Each expert I interacted with or communicated with at Progent was amazingly focused on getting my company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the most important elements that had to be addressed to make it possible to continue company functions:

  • Active Directory
  • Email
  • Accounting/MRP
To start, Progent adhered to Anti-virus penetration mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the work of restoring Microsoft Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange email will not work without AD, and the businessesí financials and MRP system utilized Microsoft SQL Server, which requires Active Directory services for authentication to the information.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery on key servers. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Folder Files) on various PCs and laptops in order to recover email messages. A not too old offline backup of the businesses manufacturing systems made them able to return these required applications back servicing users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, the most important services were recovered rapidly:


"For the most part, the production operation did not miss a beat and we did not miss any customer deliverables."

Over the following couple of weeks important milestones in the recovery process were achieved through tight collaboration between Progent engineers and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the user desktops were functioning as before the incident.

"Much of what occurred that first week is mostly a blur for me, but I will not forget the countless hours each of the team accomplished to give us our business back. I have been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable business-ending catastrophe was evaded with results-oriented experts, a wide array of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus incident detailed here could have been shut down with advanced security technology and best practices, team training, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for letting me get rested after we made it past the most critical parts. All of you did an impressive job, and if anyone is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Atlanta a portfolio of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services include next-generation AI technology to detect new variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent's consultants can also assist you to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup technology providers to create ProSight Data Protection Services, a family of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and allow transparent backup and fast recovery of critical files/folders, apps, images, and virtual machines. ProSight DPS lets you avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, user error, malicious insiders, or software bugs. Managed services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security companies to deliver web-based control and world-class security for all your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating devices that require critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your network operating at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management personnel and your Progent engineering consultant so all looming problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24-Hour Atlanta Crypto Cleanup Experts, contact Progent at 800-462-8800 or go to Contact Progent.