Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for a long time and still inflict havoc. The latest variants of ransomware like Ryuk and Hermes, along with more unnamed viruses, not only do encryption of on-line files but also infect any configured system backups. Information synchronized to cloud environments can also be corrupted. In a vulnerable system, this can make automatic restore operations impossible and basically sets the datacenter back to zero.

Getting back online applications and data after a ransomware attack becomes a race against the clock as the targeted business struggles to stop lateral movement and cleanup the virus and to restore business-critical activity. Because ransomware takes time to replicate, attacks are usually sprung during weekends and nights, when successful attacks are likely to take more time to detect. This compounds the difficulty of promptly assembling and coordinating a knowledgeable mitigation team.

Progent provides a variety of help services for securing organizations from ransomware penetrations. Among these are staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with machine learning technology to automatically identify and extinguish day-zero cyber attacks. Progent also can provide the services of veteran ransomware recovery engineers with the track record and perseverance to reconstruct a compromised environment as soon as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to unencrypt any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Absent the availability of complete information backups, this requires a wide range of IT skills, professional team management, and the willingness to work 24x7 until the job is complete.

For two decades, Progent has provided professional IT services for companies in Richmond and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the capability to knowledgably identify critical systems and organize the surviving parts of your computer network environment following a crypto-ransomware attack and assemble them into an operational system.

Progent's security team has state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the importance of working rapidly and together with a client's management and IT resources to assign priority to tasks and to put key applications back on-line as soon as possible.

Business Case Study: A Successful Ransomware Penetration Recovery
A business escalated to Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting algorithms exposed from Americaís NSA organization. Ryuk attacks specific organizations with limited ability to sustain operational disruption and is among the most profitable examples of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk event had brought down all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were damaged. The client considered paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but ultimately reached out to Progent.


"I canít thank you enough in regards to the expertise Progent provided us during the most fearful time of (our) companyís life. We most likely would have paid the cybercriminals if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and critical applications back quicker than seven days was beyond my wildest dreams. Every single expert I got help from or e-mailed at Progent was totally committed on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the customer to rapidly identify and prioritize the essential services that had to be restored to make it possible to continue departmental functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent followed AV/Malware Processes event response best practices by stopping the spread and clearing up compromised systems. Progent then initiated the process of bringing back online Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the client's MRP software utilized Microsoft SQL Server, which requires Windows AD for security authorization to the data.

Within two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery on mission critical servers. All Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to assemble local OST files (Outlook Email Offline Data Files) on user workstations to recover email data. A not too old off-line backup of the client's accounting/ERP software made them able to recover these required programs back on-line. Although a lot of work was left to recover completely from the Ryuk attack, critical services were returned to operations quickly:


"For the most part, the production operation ran fairly normal throughout and we made all customer deliverables."

During the following couple of weeks important milestones in the restoration process were completed in tight collaboration between Progent team members and the client:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Exchange Server with over four million archived emails was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control functions were 100 percent functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the user desktops and notebooks were functioning as before the incident.

"A lot of what went on those first few days is nearly entirely a blur for me, but our team will not soon forget the care all of you accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered. This time was the most impressive ever."

Conclusion
A likely business extinction disaster was avoided through the efforts of hard-working experts, a broad array of technical expertise, and tight teamwork. Although in hindsight the ransomware virus attack detailed here would have been blocked with advanced security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate security procedures for backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were contributing), Iím grateful for letting me get some sleep after we made it over the initial fire. Everyone did an incredible effort, and if anyone is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Richmond a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services include next-generation AI technology to uncover new variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to manage the entire threat progression including protection, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent action. Progent can also help your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of vital data, apps and VMs that have become lost or damaged due to component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide web-based control and world-class security for all your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of analysis for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, optimize and debug their networking hardware like routers, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating tedious management processes, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding appliances that need important updates, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so all potential issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7/365 Richmond Crypto Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.