Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that represents an enterprise-level threat for businesses vulnerable to an attack. Different iterations of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause havoc. The latest versions of ransomware like Ryuk and Hermes, along with daily unnamed viruses, not only encrypt online data but also infect all available system protection mechanisms. Files synched to cloud environments can also be rendered useless. In a poorly designed system, it can render automatic restore operations useless and effectively knocks the network back to square one.

Retrieving programs and data after a ransomware outage becomes a sprint against time as the targeted business struggles to contain and remove the ransomware and to resume enterprise-critical activity. Because ransomware takes time to spread, assaults are usually launched on weekends, when successful penetrations are likely to take more time to recognize. This compounds the difficulty of rapidly assembling and organizing a qualified response team.

Progent provides a variety of help services for securing businesses from ransomware penetrations. Among these are staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence technology to automatically identify and extinguish new threats. Progent in addition offers the services of seasoned crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed codes to decipher any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the essential components of your Information Technology environment. Absent access to essential system backups, this calls for a broad complement of skill sets, professional project management, and the willingness to work 24x7 until the recovery project is finished.

For decades, Progent has provided certified expert IT services for companies in Charleston and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise affords Progent the capability to knowledgably determine important systems and integrate the surviving components of your computer network system following a crypto-ransomware penetration and rebuild them into an operational network.

Progent's security group uses state-of-the-art project management applications to orchestrate the complex recovery process. Progent knows the urgency of working swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to put essential applications back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Incident Restoration
A small business engaged Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, possibly using approaches exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little or no room for disruption and is one of the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end brought in Progent.


"I cannot say enough about the care Progent provided us throughout the most fearful time of (our) companyís existence. We would have paid the cyber criminals behind the attack if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and key servers back online quicker than a week was earth shattering. Every single consultant I spoke to or texted at Progent was hell bent on getting us working again and was working day and night to bail us out."

Progent worked hand in hand the customer to quickly understand and prioritize the most important elements that needed to be addressed in order to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent followed Anti-virus penetration response best practices by halting the spread and clearing up compromised systems. Progent then initiated the task of rebuilding Microsoft Active Directory, the key technology of enterprise systems built on Microsoft technology. Exchange messaging will not function without Active Directory, and the businessesí accounting and MRP applications leveraged SQL Server, which needs Active Directory for authentication to the database.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery of the most important applications. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was able to collect intact OST data files (Outlook Offline Folder Files) on user workstations in order to recover email information. A recent offline backup of the customerís financials/ERP systems made them able to recover these required applications back servicing users. Although significant work still had to be done to recover totally from the Ryuk damage, essential systems were returned to operations rapidly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer sales."

Over the following month critical milestones in the restoration process were completed through tight cooperation between Progent team members and the customer:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were 100% recovered.
  • A new Palo Alto 850 firewall was brought online.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what went on in the early hours is nearly entirely a blur for me, but my team will not forget the dedication each and every one of your team put in to give us our business back. I have trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This situation was a stunning achievement."

Conclusion
A likely business-killing catastrophe was evaded through the efforts of top-tier experts, a broad array of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware incident described here should have been disabled with advanced cyber security technology solutions and security best practices, user education, and properly executed security procedures for backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get rested after we got over the first week. All of you did an impressive job, and if any of your team is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Charleston a variety of online monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services include modern AI technology to detect new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely get by legacy signature-based AV products. ProSight ASM safeguards local and cloud resources and provides a unified platform to manage the entire threat progression including protection, identification, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent's consultants can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of critical files, apps and virtual machines that have become unavailable or damaged as a result of component breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can provide advanced expertise to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to deliver centralized control and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, enhance and debug their connectivity appliances like routers and switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, locating appliances that require critical software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent consultant so any looming issues can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7 Charleston Crypto Remediation Services, contact Progent at 800-993-9400 or go to Contact Progent.