Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses poorly prepared for an assault. Multiple generations of ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause havoc. Newer versions of ransomware like Ryuk and Hermes, as well as more as yet unnamed viruses, not only encrypt on-line critical data but also infect most configured system protection. Files synchronized to cloud environments can also be encrypted. In a vulnerable environment, it can make any restore operations hopeless and basically knocks the entire system back to zero.

Getting back on-line applications and information following a crypto-ransomware attack becomes a race against time as the victim tries its best to stop the spread and remove the virus and to restore enterprise-critical activity. Since ransomware requires time to spread, attacks are often launched on weekends and holidays, when attacks may take longer to notice. This multiplies the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent makes available a variety of services for securing enterprises from ransomware events. These include team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with machine learning technology to automatically identify and extinguish day-zero threats. Progent in addition can provide the assistance of seasoned ransomware recovery engineers with the talent and perseverance to re-deploy a breached environment as soon as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the keys to unencrypt any of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the essential parts of your IT environment. Without the availability of essential information backups, this calls for a wide complement of IT skills, professional team management, and the willingness to work continuously until the job is complete.

For twenty years, Progent has offered professional Information Technology services for companies in Atlanta and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise affords Progent the capability to efficiently understand critical systems and re-organize the surviving pieces of your network environment following a ransomware penetration and rebuild them into a functioning network.

Progent's ransomware team of experts utilizes top notch project management tools to coordinate the complex restoration process. Progent knows the urgency of working quickly and together with a client's management and IT resources to prioritize tasks and to put essential systems back on-line as soon as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Response
A customer contacted Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state sponsored hackers, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk attacks specific companies with little or no tolerance for disruption and is one of the most lucrative instances of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with about 500 workers. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the intrusion and were destroyed. The client considered paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I canít speak enough about the expertise Progent gave us throughout the most fearful time of (our) companyís life. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent team gave us. That you could get our e-mail system and critical servers back on-line faster than one week was incredible. Every single consultant I got help from or texted at Progent was urgently focused on getting our system up and was working day and night to bail us out."

Progent worked with the client to quickly get our arms around and assign priority to the essential applications that needed to be recovered to make it possible to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • MRP System
To start, Progent followed ransomware incident mitigation best practices by halting lateral movement and cleaning systems of viruses. Progent then started the task of recovering Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the businessesí financials and MRP applications used Microsoft SQL, which depends on Active Directory for authentication to the databases.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and storage recovery of the most important applications. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble intact OST data files (Outlook Email Off-Line Data Files) on user desktop computers and laptops to recover email data. A not too old off-line backup of the client's financials/MRP software made them able to restore these vital services back online. Although major work needed to be completed to recover totally from the Ryuk event, the most important services were recovered quickly:


"For the most part, the production line operation did not miss a beat and we did not miss any customer orders."

Throughout the following month critical milestones in the recovery process were made through close cooperation between Progent engineers and the customer:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were 100 percent recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • Ninety percent of the user PCs were back into operation.

"A huge amount of what happened in the early hours is nearly entirely a fog for me, but my team will not soon forget the urgency all of the team accomplished to help get our business back. I have been working together with Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was the most impressive ever."

Conclusion
A possible business extinction catastrophe was dodged with results-oriented experts, a broad array of subject matter expertise, and tight collaboration. Although in hindsight the crypto-ransomware incident described here could have been identified and stopped with advanced cyber security technology solutions and recognized best practices, user education, and properly executed security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for making it so I could get some sleep after we got through the first week. Everyone did an incredible effort, and if anyone is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Atlanta a range of online monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to address the entire threat lifecycle including filtering, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that addresses your company's unique requirements and that allows you prove compliance with legal and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates and monitors your backup processes and enables rapid restoration of vital files, apps and virtual machines that have become lost or damaged as a result of component failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight DPS to to comply with regulatory requirements such as HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your business-critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further layer of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their networking hardware such as routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and sends alerts when issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the state of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT staff and your Progent consultant so that any looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can eliminate up to 50% of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Learn more about ProSight IT Asset Management service.
For Atlanta 24/7/365 Crypto Removal Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.