Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that represents an existential threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to cause harm. Recent strains of crypto-ransomware such as Ryuk and Hermes, plus more as yet unnamed newcomers, not only encrypt online files but also infiltrate many configured system backups. Information synched to the cloud can also be encrypted. In a vulnerable data protection solution, it can render automated restore operations impossible and basically sets the network back to zero.

Getting back on-line programs and information following a ransomware attack becomes a sprint against time as the victim fights to stop the spread and clear the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, assaults are usually sprung on weekends and holidays, when penetrations in many cases take more time to identify. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent offers a range of support services for securing organizations from crypto-ransomware events. Among these are user training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning technology to intelligently discover and extinguish day-zero cyber attacks. Progent also can provide the assistance of seasoned ransomware recovery professionals with the talent and commitment to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the codes to decipher all your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the mission-critical components of your Information Technology environment. Without access to essential information backups, this calls for a wide range of skills, top notch project management, and the ability to work 24x7 until the task is complete.

For twenty years, Progent has offered professional IT services for businesses in Denver and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to quickly identify necessary systems and re-organize the remaining components of your IT environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's ransomware team deploys state-of-the-art project management tools to orchestrate the complex restoration process. Progent knows the urgency of working swiftly and in unison with a client's management and IT team members to prioritize tasks and to put the most important systems back on line as soon as humanly possible.

Case Study: A Successful Ransomware Attack Response
A business contacted Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk seeks specific organizations with limited tolerance for operational disruption and is one of the most profitable iterations of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago and has about 500 employees. The Ryuk penetration had brought down all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately engaged Progent.


"I cannot thank you enough in regards to the help Progent provided us during the most fearful period of (our) businesses existence. We most likely would have paid the criminal gangs if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and production applications back into operation sooner than 1 week was amazing. Every single expert I talked with or e-mailed at Progent was totally committed on getting us restored and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly assess and assign priority to the most important services that had to be recovered in order to resume departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • MRP System
To begin, Progent followed ransomware event mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then began the steps of bringing back online Active Directory, the foundation of enterprise networks built upon Microsoft technology. Exchange email will not function without Active Directory, and the customerís MRP applications used Microsoft SQL Server, which depends on Active Directory for access to the information.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then completed setup and storage recovery of needed applications. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on user desktop computers in order to recover email data. A not too old off-line backup of the customerís accounting/ERP software made it possible to return these required services back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk attack, core systems were recovered rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer deliverables."

Over the following couple of weeks critical milestones in the recovery process were accomplished in close cooperation between Progent team members and the client:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Server with over 4 million historical messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were completely recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the user PCs were back into operation.

"A lot of what was accomplished in the early hours is nearly entirely a haze for me, but my team will not forget the urgency each of the team accomplished to give us our company back. Iíve utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This event was a stunning achievement."

Conclusion
A likely business-killing catastrophe was dodged with results-oriented professionals, a broad range of technical expertise, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus incident detailed here could have been prevented with current cyber security solutions and best practices, user and IT administrator training, and well thought out incident response procedures for data protection and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for letting me get rested after we made it over the most critical parts. Everyone did an impressive job, and if any of your team is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Denver a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to manage the entire threat lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with government and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of vital files, apps and virtual machines that have become lost or corrupted due to component failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to recover your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to deliver centralized management and comprehensive security for your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, enhance and troubleshoot their networking hardware such as routers and switches, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that require important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management personnel and your Progent consultant so any potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For Denver 24x7x365 Crypto-Ransomware Repair Help, call Progent at 800-993-9400 or go to Contact Progent.