Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of crypto-ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for years and still inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as daily unnamed newcomers, not only encrypt online information but also infect most available system protection mechanisms. Files synchronized to the cloud can also be encrypted. In a poorly architected system, it can render any recovery impossible and effectively sets the network back to square one.

Restoring applications and data following a crypto-ransomware attack becomes a sprint against time as the targeted organization struggles to stop the spread and cleanup the crypto-ransomware and to resume mission-critical activity. Since ransomware requires time to replicate, attacks are often sprung on weekends and holidays, when successful penetrations in many cases take longer to detect. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable mitigation team.

Progent provides an assortment of solutions for securing businesses from crypto-ransomware events. Among these are user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with machine learning technology to automatically detect and extinguish new cyber attacks. Progent also offers the services of expert ransomware recovery professionals with the talent and commitment to re-deploy a breached system as urgently as possible.

Progent's Ransomware Recovery Services
After a ransomware event, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decipher any or all of your data. Kaspersky determined that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the essential elements of your Information Technology environment. Without the availability of full system backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work 24x7 until the recovery project is complete.

For decades, Progent has offered expert IT services for companies in Bristol and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise gives Progent the skills to efficiently identify critical systems and integrate the surviving pieces of your IT environment after a crypto-ransomware penetration and configure them into an operational system.

Progent's recovery team utilizes top notch project management systems to coordinate the complicated recovery process. Progent knows the urgency of working quickly and in unison with a customerís management and IT team members to assign priority to tasks and to put critical applications back online as fast as possible.

Client Case Study: A Successful Ransomware Incident Restoration
A client contacted Progent after their organization was attacked by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored hackers, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk targets specific businesses with limited room for disruption and is among the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has about 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but in the end brought in Progent.


"I cannot speak enough in regards to the support Progent provided us during the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent experts gave us. That you were able to get our messaging and essential servers back into operation sooner than seven days was beyond my wildest dreams. Every single expert I got help from or messaged at Progent was absolutely committed on getting us restored and was working day and night on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the key systems that needed to be restored to make it possible to restart company operations:

  • Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes penetration response best practices by halting the spread and removing active viruses. Progent then initiated the work of rebuilding Windows Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the customerís financials and MRP applications leveraged Microsoft SQL Server, which requires Windows AD for access to the data.

Within 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then accomplished rebuilding and storage recovery of the most important systems. All Exchange ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Offline Data Files) on team PCs in order to recover email data. A not too old off-line backup of the client's accounting/MRP software made them able to return these vital services back available to users. Although a large amount of work remained to recover completely from the Ryuk virus, critical services were recovered rapidly:


"For the most part, the assembly line operation never missed a beat and we made all customer sales."

Throughout the next month key milestones in the restoration process were accomplished through close cooperation between Progent consultants and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Server with over four million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Ninety percent of the desktop computers were being used by staff.

"A lot of what was accomplished those first few days is nearly entirely a haze for me, but I will not soon forget the urgency each of the team put in to help get our company back. I have trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A potential business extinction disaster was averted through the efforts of dedicated professionals, a wide range of IT skills, and tight teamwork. Although in retrospect the crypto-ransomware penetration detailed here could have been identified and stopped with up-to-date cyber security solutions and best practices, team training, and well thought out security procedures for information backup and proper patching controls, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), thanks very much for letting me get some sleep after we made it over the most critical parts. All of you did an incredible effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Bristol a variety of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to manage the complete malware attack progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent's consultants can also help your company to install and test a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates and monitors your backup activities and allows fast recovery of critical data, applications and VMs that have become unavailable or damaged due to hardware failures, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can deliver world-class expertise to configure ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide centralized management and world-class security for your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and debug their connectivity appliances like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding appliances that need critical updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT management staff and your Progent engineering consultant so that any potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Bristol CryptoLocker Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.