Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an assault. Different iterations of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus additional as yet unnamed newcomers, not only do encryption of online files but also infect all available system protection mechanisms. Information synched to the cloud can also be ransomed. In a vulnerable system, it can render automatic restore operations hopeless and basically knocks the datacenter back to zero.

Retrieving services and data following a ransomware event becomes a sprint against time as the targeted business tries its best to contain and remove the ransomware and to restore business-critical operations. Since ransomware needs time to move laterally, penetrations are often launched at night, when attacks in many cases take more time to identify. This compounds the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.

Progent provides a variety of solutions for protecting businesses from ransomware events. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities to automatically discover and extinguish day-zero threats. Progent also can provide the assistance of experienced ransomware recovery engineers with the skills and commitment to re-deploy a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the needed codes to unencrypt any of your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the key elements of your IT environment. Absent access to essential system backups, this calls for a wide range of IT skills, top notch team management, and the capability to work non-stop until the task is complete.

For twenty years, Progent has offered expert Information Technology services for businesses in Corpus Christi and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to knowledgably understand critical systems and consolidate the surviving pieces of your network environment following a crypto-ransomware event and assemble them into a functioning system.

Progent's ransomware team has best of breed project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting swiftly and in unison with a client's management and IT team members to prioritize tasks and to get the most important applications back on-line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Incident Restoration
A customer hired Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, possibly adopting technology exposed from Americaís National Security Agency. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative versions of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.


"I cannot say enough in regards to the help Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. That you were able to get our messaging and critical applications back on-line sooner than a week was amazing. Every single consultant I interacted with or texted at Progent was laser focused on getting us restored and was working at all hours on our behalf."

Progent worked hand in hand the customer to rapidly determine and prioritize the critical areas that had to be recovered to make it possible to restart business functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting/MRP
To begin, Progent followed ransomware event mitigation best practices by isolating and removing active viruses. Progent then began the work of rebuilding Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the client's accounting and MRP system used SQL Server, which requires Windows AD for access to the databases.

In less than 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then accomplished reinstallations and storage recovery on mission critical systems. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Off-Line Folder Files) on user workstations and laptops in order to recover mail information. A not too old off-line backup of the businesses accounting/MRP software made them able to restore these vital applications back online. Although significant work still had to be done to recover completely from the Ryuk attack, the most important systems were returned to operations rapidly:


"For the most part, the production manufacturing operation survived unscathed and we made all customer sales."

Throughout the next couple of weeks critical milestones in the restoration process were made through tight collaboration between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Server exceeding four million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was set up.
  • Most of the user desktops were fully operational.

"A huge amount of what transpired during the initial response is mostly a fog for me, but my management will not forget the commitment each of the team put in to give us our company back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered as promised. This time was the most impressive ever."

Conclusion
A potential company-ending catastrophe was dodged with hard-working experts, a broad range of knowledge, and tight teamwork. Although in retrospect the ransomware virus penetration detailed here would have been identified and prevented with up-to-date cyber security technology and best practices, user and IT administrator education, and properly executed incident response procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), Iím grateful for allowing me to get some sleep after we got over the initial fire. All of you did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Corpus Christi a variety of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize modern AI capability to detect new strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including protection, identification, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with legal and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates your backup activities and enables rapid restoration of vital data, apps and virtual machines that have become unavailable or corrupted due to hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can deliver world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security companies to deliver web-based management and world-class security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, monitor, reconfigure and troubleshoot their connectivity hardware like routers and switches, firewalls, and access points plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that require important software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system operating efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT management staff and your assigned Progent consultant so that any looming problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and managing your network documentation, you can save up to 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Corpus Christi 24/7 Ransomware Repair Help, call Progent at 800-462-8800 or go to Contact Progent.