Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that represents an existential danger for organizations unprepared for an assault. Different versions of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still cause damage. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with daily unnamed malware, not only do encryption of on-line critical data but also infiltrate many accessible system protection. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can render automatic restore operations useless and effectively sets the entire system back to square one.

Getting back online programs and information following a ransomware event becomes a sprint against time as the targeted business struggles to contain the damage and eradicate the ransomware and to restore enterprise-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are frequently launched during nights and weekends, when attacks typically take more time to uncover. This multiplies the difficulty of rapidly assembling and coordinating an experienced response team.

Progent provides a range of help services for securing businesses from ransomware events. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security solutions with machine learning capabilities to automatically detect and extinguish day-zero cyber attacks. Progent in addition provides the services of veteran ransomware recovery consultants with the track record and perseverance to rebuild a breached system as rapidly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to decrypt all your information. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the key parts of your Information Technology environment. Absent the availability of full system backups, this requires a wide range of skills, well-coordinated team management, and the willingness to work continuously until the task is complete.

For decades, Progent has provided expert Information Technology services for businesses in San Antonio and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently ascertain necessary systems and organize the surviving parts of your IT system following a ransomware penetration and configure them into an operational network.

Progent's security team of experts deploys powerful project management tools to coordinate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in concert with a customerís management and Information Technology team members to prioritize tasks and to put essential applications back on-line as fast as humanly possible.

Case Study: A Successful Ransomware Virus Recovery
A client sought out Progent after their network was crashed by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, possibly using techniques leaked from the United States National Security Agency. Ryuk goes after specific companies with little room for disruption and is one of the most lucrative examples of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the intrusion and were encrypted. The client was evaluating paying the ransom (more than $200,000) and wishfully thinking for the best, but in the end made the decision to use Progent.


"I canít thank you enough about the expertise Progent provided us during the most fearful period of (our) companyís existence. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts afforded us. That you could get our e-mail and production applications back online in less than a week was beyond my wildest dreams. Every single expert I spoke to or communicated with at Progent was totally committed on getting my company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to rapidly determine and assign priority to the key services that needed to be recovered in order to restart departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To begin, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then started the task of rebuilding Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the customerís MRP software used Microsoft SQL Server, which requires Active Directory for access to the databases.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and storage recovery on key servers. All Exchange data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Offline Folder Files) on various workstations and laptops in order to recover mail information. A not too old offline backup of the businesses accounting/MRP software made it possible to return these required services back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, critical services were restored rapidly:


"For the most part, the production line operation survived unscathed and we delivered all customer deliverables."

During the next couple of weeks important milestones in the restoration process were completed in close collaboration between Progent engineers and the client:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server with over four million archived messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the user desktops and notebooks were back into operation.

"Much of what happened that first week is mostly a haze for me, but my team will not forget the countless hours each of the team accomplished to help get our company back. Iíve been working with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was the most impressive ever."

Conclusion
A possible business extinction catastrophe was dodged by dedicated professionals, a broad range of knowledge, and close collaboration. Although in retrospect the ransomware virus penetration described here would have been shut down with current cyber security technology solutions and security best practices, team training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), Iím grateful for letting me get rested after we made it past the initial fire. Everyone did an incredible effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in San Antonio a portfolio of online monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern AI capability to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you prove compliance with legal and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent's consultants can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and allows fast restoration of vital files, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to recover your business-critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to deliver centralized control and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of inspection for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their networking hardware like switches, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming network management activities, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating devices that require important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so all potential issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time spent looking for vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 San Antonio Crypto-Ransomware Cleanup Help, reach out to Progent at 800-993-9400 or go to Contact Progent.