Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Multiple generations of crypto-ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to inflict damage. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily unnamed malware, not only encrypt on-line data but also infect any configured system protection. Files synched to the cloud can also be ransomed. In a vulnerable system, this can make any restoration impossible and effectively sets the network back to square one.

Getting back on-line applications and data after a ransomware attack becomes a sprint against the clock as the targeted organization fights to stop the spread and eradicate the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware requires time to spread, attacks are often launched on weekends, when penetrations tend to take longer to uncover. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable response team.

Progent offers an assortment of solutions for securing organizations from ransomware attacks. Among these are user training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with AI capabilities to intelligently detect and disable day-zero cyber attacks. Progent also provides the assistance of seasoned ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as urgently as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the codes to unencrypt any of your information. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the mission-critical components of your IT environment. Absent the availability of full data backups, this requires a broad complement of skills, top notch team management, and the ability to work 24x7 until the job is complete.

For two decades, Progent has offered professional Information Technology services for companies in Houston and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of expertise gives Progent the skills to rapidly understand critical systems and consolidate the remaining pieces of your IT system following a ransomware penetration and assemble them into an operational system.

Progent's security group has top notch project management systems to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and in concert with a customerís management and IT resources to prioritize tasks and to put the most important systems back on line as fast as possible.

Customer Case Study: A Successful Ransomware Attack Recovery
A client contacted Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, suspected of using techniques exposed from the United States National Security Agency. Ryuk seeks specific businesses with little tolerance for operational disruption and is one of the most lucrative versions of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I cannot thank you enough in regards to the help Progent gave us throughout the most fearful time of (our) businesses life. We would have paid the criminal gangs except for the confidence the Progent team provided us. That you could get our e-mail system and key applications back faster than 1 week was beyond my wildest dreams. Every single person I worked with or messaged at Progent was amazingly focused on getting us back online and was working all day and night on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and assign priority to the critical areas that had to be restored in order to restart company operations:

  • Microsoft Active Directory
  • Email
  • MRP System
To get going, Progent followed ransomware event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the work of recovering Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí accounting and MRP system utilized Microsoft SQL Server, which requires Windows AD for security authorization to the data.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then initiated rebuilding and hard drive recovery on needed systems. All Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Off-Line Data Files) on various desktop computers and laptops in order to recover mail information. A recent off-line backup of the customerís manufacturing systems made them able to recover these required services back servicing users. Although a large amount of work needed to be completed to recover totally from the Ryuk event, the most important systems were returned to operations rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer deliverables."

Over the next few weeks important milestones in the restoration project were made in tight cooperation between Progent engineers and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server containing more than four million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user desktops and notebooks were back into operation.

"A huge amount of what occurred in the initial days is mostly a fog for me, but my team will not soon forget the care each of your team put in to give us our business back. Iíve trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered. This situation was a stunning achievement."

Conclusion
A likely enterprise-killing catastrophe was averted due to dedicated professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident described here could have been prevented with current cyber security solutions and ISO/IEC 27001 best practices, staff education, and well thought out incident response procedures for information backup and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for allowing me to get rested after we made it through the first week. Everyone did an fabulous job, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Houston a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation AI technology to uncover zero-day variants of crypto-ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. ProSight ASM protects local and cloud resources and offers a single platform to automate the entire malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that helps you demonstrate compliance with government and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates your backup processes and enables rapid recovery of vital data, applications and virtual machines that have become unavailable or corrupted due to hardware failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, when needed, can assist you to restore your critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver centralized management and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device provides a further level of inspection for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their networking appliances such as routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, finding devices that require important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT personnel and your Progent engineering consultant so all potential problems can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Houston 24/7 Crypto-Ransomware Recovery Support Services, contact Progent at 800-462-8800 or go to Contact Progent.