Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyberplague that poses an existential threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause havoc. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as additional unnamed malware, not only do encryption of online data files but also infiltrate many configured system backups. Data synchronized to cloud environments can also be corrupted. In a poorly designed environment, it can make automated restoration hopeless and effectively sets the datacenter back to zero.

Recovering applications and data following a ransomware attack becomes a race against time as the targeted business fights to stop the spread and clear the virus and to restore enterprise-critical activity. Due to the fact that crypto-ransomware needs time to move laterally, attacks are frequently sprung during nights and weekends, when successful penetrations are likely to take more time to notice. This compounds the difficulty of rapidly marshalling and orchestrating an experienced response team.

Progent offers a range of solutions for securing enterprises from ransomware penetrations. These include team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with AI technology to intelligently discover and suppress day-zero cyber attacks. Progent also provides the services of seasoned ransomware recovery engineers with the skills and commitment to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
After a crypto-ransomware attack, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decrypt all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the key components of your IT environment. Absent the availability of essential information backups, this calls for a wide complement of IT skills, top notch team management, and the capability to work 24x7 until the task is over.

For decades, Progent has offered expert IT services for businesses in Toledo and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience provides Progent the ability to quickly identify critical systems and integrate the surviving pieces of your network environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's recovery group uses state-of-the-art project management applications to coordinate the complicated restoration process. Progent understands the importance of acting swiftly and in concert with a customerís management and IT resources to assign priority to tasks and to put key applications back on line as fast as possible.

Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A business contacted Progent after their company was attacked by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored criminal gangs, suspected of adopting techniques leaked from Americaís NSA organization. Ryuk attacks specific companies with limited tolerance for disruption and is one of the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing processes. The majority of the client's system backups had been on-line at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.


"I cannot thank you enough in regards to the expertise Progent gave us during the most fearful time of (our) companyís survival. We had little choice but to pay the hackers behind this attack if it wasnít for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and key servers back on-line quicker than five days was earth shattering. Each expert I talked with or texted at Progent was urgently focused on getting my company operational and was working non-stop on our behalf."

Progent worked with the customer to quickly identify and assign priority to the most important areas that had to be addressed in order to resume business functions:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes incident response industry best practices by stopping lateral movement and clearing infected systems. Progent then began the task of rebuilding Windows Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the client's MRP applications utilized SQL Server, which requires Active Directory for access to the information.

Within two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then charged ahead with setup and hard drive recovery of critical applications. All Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was able to find local OST files (Outlook Offline Data Files) on team PCs and laptops to recover mail information. A recent off-line backup of the businesses accounting/ERP software made it possible to restore these vital applications back on-line. Although significant work still had to be done to recover fully from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the production operation ran fairly normal throughout and we made all customer orders."

Over the next couple of weeks critical milestones in the restoration project were completed through close cooperation between Progent team members and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were completely operational.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the user desktops and notebooks were being used by staff.

"Much of what went on during the initial response is nearly entirely a haze for me, but our team will not soon forget the commitment each and every one of your team accomplished to help get our business back. Iíve entrusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A possible business catastrophe was dodged with dedicated experts, a broad array of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here could have been shut down with current security technology and security best practices, user education, and properly executed security procedures for data backup and proper patching controls, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get some sleep after we made it over the most critical parts. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Toledo a portfolio of remote monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services utilize next-generation AI capability to detect zero-day strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the complete threat lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you demonstrate compliance with legal and industry information security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent's consultants can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup processes and enables fast restoration of vital data, apps and VMs that have become unavailable or corrupted as a result of hardware failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can deliver world-class expertise to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can assist you to recover your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security companies to provide centralized management and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to diagram, track, optimize and troubleshoot their networking hardware such as switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, locating devices that require critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT personnel and your Progent consultant so that any looming problems can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
For Toledo 24/7/365 Crypto Recovery Help, contact Progent at 800-462-8800 or go to Contact Progent.