Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an existential threat for businesses of all sizes unprepared for an attack. Different versions of ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional unnamed viruses, not only encrypt online information but also infect any accessible system restores and backups. Data synchronized to cloud environments can also be rendered useless. In a vulnerable environment, this can render automated restoration hopeless and effectively knocks the datacenter back to square one.

Getting back on-line programs and information following a ransomware intrusion becomes a race against the clock as the victim fights to contain and clear the ransomware and to resume business-critical operations. Due to the fact that ransomware takes time to replicate, penetrations are often sprung during nights and weekends, when attacks may take more time to detect. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified response team.

Progent provides a range of services for securing businesses from ransomware events. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with AI capabilities to rapidly detect and disable zero-day threats. Progent also can provide the assistance of experienced crypto-ransomware recovery consultants with the talent and commitment to re-deploy a breached network as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to unencrypt any of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the critical parts of your IT environment. Without access to essential information backups, this requires a broad range of IT skills, top notch team management, and the capability to work 24x7 until the task is complete.

For two decades, Progent has made available expert Information Technology services for businesses in Allentown and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience affords Progent the ability to quickly understand critical systems and re-organize the remaining pieces of your Information Technology environment after a ransomware event and configure them into a functioning network.

Progent's ransomware group utilizes top notch project management systems to coordinate the complicated restoration process. Progent knows the importance of working rapidly and in unison with a customerís management and IT resources to prioritize tasks and to put critical systems back online as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Attack Response
A small business sought out Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored cybercriminals, suspected of using strategies leaked from the United States National Security Agency. Ryuk attacks specific companies with little ability to sustain disruption and is among the most profitable instances of ransomware malware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 employees. The Ryuk penetration had disabled all business operations and manufacturing processes. Most of the client's system backups had been online at the start of the attack and were destroyed. The client considered paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but ultimately made the decision to use Progent.


"I cannot thank you enough about the care Progent provided us during the most fearful period of (our) businesses life. We most likely would have paid the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and key applications back on-line sooner than five days was earth shattering. Each consultant I spoke to or e-mailed at Progent was amazingly focused on getting my company operational and was working all day and night on our behalf."

Progent worked with the client to rapidly determine and prioritize the essential services that needed to be addressed in order to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent adhered to ransomware event response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the work of recovering Windows Active Directory, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the client's MRP system used Microsoft SQL, which depends on Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery of key applications. All Exchange ties and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Offline Data Files) on various workstations and laptops to recover mail data. A recent off-line backup of the customerís accounting/MRP software made it possible to return these essential services back servicing users. Although significant work was left to recover completely from the Ryuk damage, critical systems were returned to operations quickly:


"For the most part, the production operation ran fairly normal throughout and we did not miss any customer sales."

Throughout the following couple of weeks key milestones in the restoration process were accomplished through close cooperation between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were completely recovered.
  • A new Palo Alto 850 firewall was deployed.
  • Ninety percent of the desktops and laptops were functioning as before the incident.

"So much of what went on in the initial days is mostly a fog for me, but my management will not forget the care each and every one of the team accomplished to give us our business back. I have utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was the most impressive ever."

Conclusion
A likely business catastrophe was dodged due to top-tier experts, a broad array of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware incident described here would have been prevented with up-to-date security systems and ISO/IEC 27001 best practices, staff training, and well designed security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for allowing me to get some sleep after we got through the initial push. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Allentown a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include next-generation AI technology to detect zero-day strains of crypto-ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge tools incorporated within one agent managed from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also assist your company to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a low monthly price, ProSight DPS automates and monitors your backup activities and allows rapid restoration of critical data, applications and VMs that have become unavailable or corrupted as a result of hardware failures, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your business-critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide centralized control and world-class security for all your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of inspection for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, monitor, optimize and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always current, copies and displays the configuration of almost all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating complex management activities, WAN Watch can cut hours off common chores such as network mapping, expanding your network, locating appliances that require critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT personnel and your assigned Progent consultant so that any potential issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7 Allentown Crypto-Ransomware Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.