Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that presents an existential danger for businesses unprepared for an attack. Different iterations of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus additional unnamed viruses, not only encrypt online data files but also infiltrate most configured system backup. Data synched to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, it can make automatic recovery impossible and effectively knocks the network back to square one.

Getting back on-line services and information following a crypto-ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain and eradicate the virus and to restore mission-critical operations. Due to the fact that ransomware requires time to replicate, attacks are frequently sprung at night, when successful penetrations are likely to take more time to notice. This multiplies the difficulty of quickly assembling and orchestrating a qualified mitigation team.

Progent has a range of solutions for securing enterprises from ransomware penetrations. These include user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security solutions with artificial intelligence capabilities to rapidly identify and extinguish new cyber attacks. Progent in addition offers the assistance of veteran ransomware recovery professionals with the talent and commitment to restore a compromised network as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the critical components of your Information Technology environment. Absent the availability of complete data backups, this calls for a wide complement of IT skills, top notch project management, and the ability to work non-stop until the job is complete.

For twenty years, Progent has made available expert IT services for companies in Minnetonka and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly ascertain important systems and consolidate the remaining parts of your IT environment after a ransomware event and rebuild them into a functioning system.

Progent's security team of experts deploys top notch project management systems to coordinate the complicated restoration process. Progent knows the urgency of acting quickly and together with a customerís management and IT team members to prioritize tasks and to put the most important systems back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Restoration
A small business engaged Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, suspected of adopting algorithms exposed from Americaís National Security Agency. Ryuk targets specific companies with little or no room for disruption and is among the most profitable examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.


"I cannot thank you enough about the support Progent provided us during the most fearful time of (our) companyís survival. We may have had to pay the Hackers if not for the confidence the Progent team afforded us. That you were able to get our messaging and key servers back into operation quicker than 1 week was earth shattering. Each staff member I talked with or messaged at Progent was laser focused on getting us back online and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to quickly get our arms around and prioritize the most important elements that needed to be restored in order to restart company operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting/MRP
To start, Progent followed Anti-virus incident response industry best practices by stopping lateral movement and disinfecting systems. Progent then started the steps of rebuilding Microsoft AD, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the businessesí accounting and MRP applications utilized Microsoft SQL Server, which requires Windows AD for authentication to the information.

Within 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery of the most important servers. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Outlook Email Off-Line Folder Files) on various PCs to recover mail data. A recent off-line backup of the client's accounting systems made them able to return these essential programs back online for users. Although major work still had to be done to recover fully from the Ryuk attack, the most important services were returned to operations quickly:


"For the most part, the production line operation was never shut down and we made all customer deliverables."

Over the next couple of weeks important milestones in the restoration project were completed in tight collaboration between Progent team members and the client:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were completely operational.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the desktop computers were operational.

"A lot of what happened in the early hours is mostly a blur for me, but we will not forget the commitment each of your team accomplished to help get our business back. Iíve trusted Progent for at least 10 years, possibly more, and each time Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business-ending catastrophe was averted with top-tier experts, a wide spectrum of technical expertise, and close collaboration. Although in retrospect the ransomware penetration described here could have been disabled with modern security technology and best practices, team training, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for making it so I could get rested after we got over the initial fire. All of you did an incredible effort, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Minnetonka a variety of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to detect zero-day variants of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a single platform to automate the complete threat progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge tools packaged within a single agent managed from a single control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you prove compliance with government and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of vital files, applications and VMs that have become lost or corrupted due to component breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can provide advanced support to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to deliver centralized control and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a further layer of analysis for inbound email. For outgoing email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, track, optimize and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating complex management processes, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating devices that require important software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that all looming issues can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Minnetonka 24/7 Crypto-Ransomware Remediation Consultants, call Progent at 800-462-8800 or go to Contact Progent.