Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that presents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to inflict harm. Newer versions of ransomware like Ryuk and Hermes, along with more as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate many configured system backups. Information synchronized to cloud environments can also be corrupted. In a vulnerable data protection solution, it can render any restoration hopeless and effectively sets the datacenter back to square one.

Restoring programs and data after a ransomware outage becomes a race against the clock as the targeted organization tries its best to contain and remove the ransomware and to restore enterprise-critical operations. Because ransomware requires time to spread, attacks are often launched on weekends, when penetrations tend to take more time to detect. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable mitigation team.

Progent makes available a variety of solutions for protecting enterprises from crypto-ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with AI technology to intelligently discover and suppress day-zero cyber threats. Progent in addition provides the services of expert ransomware recovery consultants with the track record and perseverance to reconstruct a breached system as urgently as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decrypt any of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the key components of your IT environment. Without the availability of complete data backups, this requires a broad range of skill sets, top notch project management, and the willingness to work non-stop until the job is completed.

For decades, Progent has made available expert IT services for companies in Columbus and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably identify necessary systems and integrate the surviving parts of your network environment following a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team deploys state-of-the-art project management applications to coordinate the complex recovery process. Progent appreciates the urgency of working rapidly and in unison with a customerís management and IT team members to assign priority to tasks and to get key applications back on line as fast as possible.

Business Case Study: A Successful Ransomware Intrusion Response
A small business contacted Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean government sponsored criminal gangs, possibly adopting algorithms exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little or no tolerance for disruption and is among the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200K) and praying for the best, but in the end made the decision to use Progent.


"I canít tell you enough about the expertise Progent gave us throughout the most fearful time of (our) businesses survival. We may have had to pay the cybercriminals except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and key servers back into operation in less than 1 week was beyond my wildest dreams. Every single staff member I spoke to or communicated with at Progent was amazingly focused on getting us back on-line and was working breakneck pace to bail us out."

Progent worked with the client to rapidly identify and prioritize the key systems that had to be restored in order to resume business functions:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To begin, Progent followed ransomware incident mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the task of recovering Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the customerís MRP software leveraged SQL Server, which needs Active Directory for authentication to the information.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then initiated reinstallations and hard drive recovery of essential servers. All Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate local OST files (Outlook Off-Line Folder Files) on various workstations in order to recover mail messages. A not too old off-line backup of the client's manufacturing systems made them able to return these required applications back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk attack, critical systems were restored rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer shipments."

During the next few weeks key milestones in the restoration project were achieved in close cooperation between Progent engineers and the client:

  • In-house web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were completely restored.
  • A new Palo Alto 850 firewall was set up.
  • Nearly all of the user desktops were functioning as before the incident.

"Much of what occurred in the initial days is mostly a fog for me, but my team will not forget the dedication each of the team accomplished to help get our company back. Iíve been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely company-ending disaster was dodged by top-tier experts, a broad spectrum of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware attack described here could have been prevented with modern security systems and security best practices, user and IT administrator education, and appropriate incident response procedures for data protection and applying software patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get some sleep after we made it through the initial fire. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Columbus a range of online monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services utilize modern AI technology to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely escape traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to automate the entire threat lifecycle including protection, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within one agent managed from a unified control. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent's consultants can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates and monitors your backup activities and enables fast restoration of vital files, apps and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide world-class expertise to set up ProSight DPS to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to provide web-based management and comprehensive security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of inspection for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent consultant so that all potential issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported immediately to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7 Columbus Ransomware Recovery Consultants, contact Progent at 800-993-9400 or go to Contact Progent.