Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with daily unnamed malware, not only do encryption of on-line information but also infiltrate many available system backup. Files synched to cloud environments can also be ransomed. In a poorly architected system, it can render automated recovery hopeless and effectively knocks the network back to zero.

Getting back online services and information following a ransomware event becomes a sprint against time as the victim fights to contain and cleanup the virus and to restore enterprise-critical activity. Because crypto-ransomware requires time to replicate, penetrations are frequently sprung during nights and weekends, when successful penetrations are likely to take longer to discover. This multiplies the difficulty of quickly marshalling and orchestrating a qualified mitigation team.

Progent has an assortment of solutions for protecting organizations from crypto-ransomware attacks. Among these are staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with artificial intelligence technology to rapidly discover and quarantine day-zero cyber attacks. Progent in addition can provide the services of veteran crypto-ransomware recovery consultants with the skills and commitment to re-deploy a compromised system as soon as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the vital elements of your IT environment. Absent access to complete data backups, this requires a wide range of skill sets, top notch team management, and the capability to work continuously until the task is done.

For twenty years, Progent has made available professional Information Technology services for companies in Leeds and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience provides Progent the ability to rapidly identify important systems and consolidate the surviving parts of your Information Technology system following a ransomware penetration and configure them into a functioning network.

Progent's ransomware team uses best of breed project management systems to orchestrate the complex recovery process. Progent knows the urgency of working swiftly and together with a client's management and Information Technology resources to prioritize tasks and to put the most important applications back online as fast as possible.

Client Story: A Successful Crypto-Ransomware Incident Recovery
A customer contacted Progent after their organization was crashed by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, possibly using approaches exposed from Americaís National Security Agency. Ryuk attacks specific organizations with little room for operational disruption and is one of the most lucrative examples of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the beginning of the intrusion and were damaged. The client considered paying the ransom (in excess of $200K) and praying for good luck, but ultimately utilized Progent.


"I cannot say enough in regards to the expertise Progent provided us during the most stressful time of (our) businesses survival. We may have had to pay the hackers behind this attack except for the confidence the Progent group afforded us. The fact that you were able to get our e-mail and key applications back online faster than seven days was amazing. Each staff member I got help from or texted at Progent was urgently focused on getting us working again and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to quickly identify and prioritize the mission critical systems that needed to be restored to make it possible to resume company functions:

  • Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the steps of bringing back online Active Directory, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not work without AD, and the customerís financials and MRP system used Microsoft SQL, which needs Active Directory services for authentication to the information.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery on essential servers. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Folder Files) on team desktop computers and laptops in order to recover mail messages. A not too old offline backup of the customerís accounting/MRP software made it possible to recover these vital services back online. Although a large amount of work remained to recover fully from the Ryuk virus, critical services were returned to operations rapidly:


"For the most part, the assembly line operation did not miss a beat and we delivered all customer shipments."

Throughout the following couple of weeks key milestones in the recovery process were made in tight collaboration between Progent engineers and the customer:

  • Internal web applications were restored without losing any data.
  • The MailStore Server containing more than 4 million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control modules were fully functional.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Most of the desktops and laptops were back into operation.

"A lot of what happened those first few days is mostly a fog for me, but our team will not soon forget the care each of your team accomplished to give us our company back. Iíve been working together with Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A possible business extinction disaster was evaded with results-oriented professionals, a wide array of IT skills, and tight teamwork. Although in retrospect the ransomware penetration described here could have been identified and disabled with modern cyber security technology solutions and security best practices, user and IT administrator training, and well thought out security procedures for information backup and applying software patches, the reality is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of professionals has proven experience in ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get rested after we made it over the first week. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Leeds a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning capability to detect new strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely evade legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to address the entire threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also help you to install and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates and monitors your backup activities and enables rapid restoration of critical files, applications and VMs that have become lost or damaged due to component breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can provide advanced support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to deliver web-based management and world-class protection for all your email traffic. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the local gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to map, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and access points as well as servers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating appliances that need important software patches, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management techniques to keep your IT system running at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT staff and your assigned Progent consultant so all potential issues can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Leeds CryptoLocker Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.