Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an existential threat for businesses vulnerable to an assault. Versions of ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as additional unnamed malware, not only encrypt online information but also infiltrate most accessible system restores and backups. Files synched to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render automatic restore operations impossible and effectively knocks the entire system back to square one.

Getting back on-line applications and information after a crypto-ransomware outage becomes a race against time as the targeted business fights to contain the damage and eradicate the ransomware and to resume enterprise-critical activity. Because ransomware needs time to spread, penetrations are usually launched on weekends and holidays, when successful attacks tend to take more time to identify. This multiplies the difficulty of rapidly mobilizing and organizing a knowledgeable mitigation team.

Progent makes available a variety of services for securing organizations from crypto-ransomware attacks. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with AI capabilities to intelligently identify and suppress day-zero cyber threats. Progent in addition provides the services of experienced ransomware recovery engineers with the skills and perseverance to reconstruct a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed keys to unencrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the key elements of your IT environment. Absent access to complete system backups, this requires a broad range of skill sets, top notch team management, and the willingness to work 24x7 until the job is completed.

For decades, Progent has provided expert IT services for businesses in Houston and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify critical systems and consolidate the remaining parts of your network environment following a ransomware event and configure them into a functioning system.

Progent's ransomware group has powerful project management applications to orchestrate the complex recovery process. Progent knows the urgency of acting rapidly and in concert with a customerís management and Information Technology resources to prioritize tasks and to put essential services back online as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Incident Recovery
A customer engaged Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, possibly adopting technology leaked from the United States National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is among the most lucrative iterations of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with around 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's data backups had been online at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end reached out to Progent.


"I cannot tell you enough about the support Progent provided us during the most critical period of (our) businesses survival. We most likely would have paid the criminal gangs except for the confidence the Progent experts afforded us. The fact that you could get our messaging and important servers back faster than five days was earth shattering. Each person I got help from or communicated with at Progent was amazingly focused on getting our company operational and was working all day and night on our behalf."

Progent worked with the client to rapidly understand and assign priority to the most important elements that had to be restored in order to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent adhered to Anti-virus penetration response best practices by stopping lateral movement and performing virus removal steps. Progent then started the steps of restoring Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the client's MRP applications leveraged Microsoft SQL, which depends on Windows AD for access to the data.

In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then performed rebuilding and storage recovery of key applications. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Off-Line Folder Files) on staff PCs to recover email messages. A recent offline backup of the businesses financials/ERP software made them able to restore these vital programs back online. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, critical systems were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we produced all customer sales."

Over the next few weeks key milestones in the restoration project were achieved through tight cooperation between Progent team members and the customer:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Server with over four million archived emails was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Ninety percent of the user workstations were fully operational.

"Much of what occurred in the early hours is mostly a fog for me, but we will not forget the dedication each of your team put in to give us our company back. I have entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable company-ending catastrophe was dodged due to top-tier experts, a broad array of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware attack described here would have been stopped with modern security technology and best practices, team education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), Iím grateful for allowing me to get rested after we made it past the most critical parts. All of you did an incredible job, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Houston a portfolio of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation AI capability to detect new variants of ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the entire threat lifecycle including blocking, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry data protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also help you to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with advanced backup software providers to create ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup operations and allow non-disruptive backup and fast recovery of critical files/folders, apps, system images, and virtual machines. ProSight DPS helps you protect against data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious employees, or software glitches. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to provide web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway device adds a further layer of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, reconfigure and debug their connectivity hardware like routers and switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your Progent engineering consultant so any potential problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis tools to guard endpoints and physical and virtual servers against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to address the entire threat progression including protection, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Call Center services enable your information technology group to offload Help Desk services to Progent or divide activity for support services transparently between your internal support group and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your internal network support team. Client interaction with the Help Desk, delivery of support services, issue escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are consistent whether issues are resolved by your corporate IT support organization, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your computer network, Progent's patch management services free up time for your in-house IT staff to concentrate on line-of-business initiatives and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a protected online account and enter your password you are requested to verify who you are on a device that only you have and that uses a different network channel. A broad range of out-of-band devices can be used for this added form of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. To find out more about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services.
For Houston 24x7x365 Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.