Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that presents an existential danger for businesses unprepared for an assault. Different versions of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still cause damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent unnamed newcomers, not only encrypt on-line files but also infect many available system backups. Files replicated to cloud environments can also be rendered useless. In a poorly designed data protection solution, this can make any restore operations hopeless and basically knocks the network back to zero.

Getting back online programs and information after a ransomware outage becomes a race against time as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to resume mission-critical operations. Due to the fact that ransomware takes time to replicate, assaults are often launched during weekends and nights, when attacks tend to take more time to uncover. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.

Progent offers a variety of help services for protecting organizations from ransomware attacks. Among these are user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with machine learning capabilities to quickly identify and quarantine day-zero cyber attacks. Progent in addition offers the services of experienced ransomware recovery professionals with the skills and perseverance to rebuild a breached environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to decrypt any or all of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the vital elements of your Information Technology environment. Without the availability of complete system backups, this calls for a broad complement of skills, well-coordinated project management, and the ability to work non-stop until the task is over.

For decades, Progent has made available expert IT services for companies in Allentown and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the skills to quickly determine critical systems and consolidate the surviving pieces of your IT environment after a ransomware penetration and assemble them into a functioning system.

Progent's ransomware team deploys top notch project management applications to orchestrate the sophisticated restoration process. Progent appreciates the urgency of acting swiftly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to get critical applications back on-line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Virus Recovery
A small business escalated to Progent after their network system was crashed by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state criminal gangs, suspected of using algorithms exposed from Americaís NSA organization. Ryuk targets specific businesses with little ability to sustain operational disruption and is one of the most profitable examples of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had brought down all company operations and manufacturing processes. Most of the client's backups had been online at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end utilized Progent.


"I cannot say enough in regards to the expertise Progent gave us during the most stressful time of (our) companyís existence. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent team provided us. That you were able to get our e-mail system and essential applications back into operation sooner than a week was something I thought impossible. Every single expert I worked with or communicated with at Progent was amazingly focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked together with the customer to rapidly identify and prioritize the key elements that needed to be restored in order to resume business operations:

  • Active Directory
  • Electronic Messaging
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident response industry best practices by halting lateral movement and clearing infected systems. Progent then started the work of rebuilding Microsoft AD, the core of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the businessesí accounting and MRP system leveraged Microsoft SQL, which needs Active Directory for security authorization to the databases.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then helped perform setup and storage recovery on key systems. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops in order to recover email data. A not too old off-line backup of the client's accounting/ERP software made it possible to return these essential applications back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, essential systems were recovered quickly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer shipments."

Over the next couple of weeks key milestones in the restoration process were achieved through tight cooperation between Progent team members and the client:

  • In-house web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were 100% restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the desktop computers were functioning as before the incident.

"So much of what transpired in the early hours is nearly entirely a haze for me, but our team will not soon forget the countless hours all of the team put in to help get our company back. Iíve been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a life saver."

Conclusion
A potential business-killing disaster was evaded by top-tier professionals, a broad array of subject matter expertise, and tight collaboration. Although in retrospect the ransomware attack detailed here would have been disabled with advanced security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for letting me get rested after we got through the most critical parts. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Allentown a variety of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services include next-generation artificial intelligence capability to detect new strains of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to automate the entire threat progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also help you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of critical files, apps and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, when necessary, can assist you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized control and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of analysis for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity appliances such as routers, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating devices that require important software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network running efficiently by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management personnel and your Progent consultant so any potential issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.
For Allentown 24x7x365 Ransomware Repair Support Services, call Progent at 800-993-9400 or go to Contact Progent.