Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and still cause havoc. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with daily as yet unnamed newcomers, not only do encryption of online files but also infiltrate all configured system backup. Files replicated to cloud environments can also be corrupted. In a poorly designed data protection solution, this can make any restoration useless and basically sets the network back to square one.

Recovering programs and data after a crypto-ransomware outage becomes a race against time as the victim tries its best to stop lateral movement and cleanup the ransomware and to resume enterprise-critical operations. Because ransomware needs time to spread, penetrations are often sprung during weekends and nights, when attacks tend to take longer to uncover. This multiplies the difficulty of promptly marshalling and orchestrating a capable mitigation team.

Progent provides an assortment of services for protecting enterprises from ransomware attacks. These include team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security solutions with machine learning technology to intelligently identify and quarantine zero-day threats. Progent in addition provides the assistance of veteran ransomware recovery consultants with the track record and perseverance to restore a breached network as urgently as possible.

Progent's Ransomware Restoration Help
Following a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the keys to decrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the mission-critical parts of your IT environment. Without access to full data backups, this requires a broad complement of IT skills, top notch project management, and the capability to work 24x7 until the task is completed.

For two decades, Progent has made available professional IT services for businesses in St. Louis and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise gives Progent the skills to knowledgably ascertain necessary systems and integrate the remaining components of your IT environment after a crypto-ransomware penetration and configure them into an operational system.

Progent's security team has top notch project management applications to orchestrate the sophisticated restoration process. Progent understands the importance of working quickly and in unison with a client's management and Information Technology staff to assign priority to tasks and to put the most important applications back on line as fast as humanly possible.

Case Study: A Successful Ransomware Attack Response
A business contacted Progent after their organization was attacked by Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, possibly adopting strategies exposed from the United States National Security Agency. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most lucrative versions of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago and has around 500 workers. The Ryuk intrusion had disabled all essential operations and manufacturing processes. Most of the client's information backups had been online at the start of the attack and were damaged. The client was taking steps for paying the ransom demand (more than $200,000) and praying for good luck, but in the end utilized Progent.


"I cannot speak enough about the expertise Progent provided us during the most stressful period of (our) businesses life. We may have had to pay the Hackers if it wasnít for the confidence the Progent experts gave us. That you could get our e-mail system and important applications back online sooner than 1 week was something I thought impossible. Each consultant I talked with or e-mailed at Progent was hell bent on getting us restored and was working day and night to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and prioritize the key areas that had to be restored in order to restart business functions:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the steps of recovering Microsoft AD, the core of enterprise environments built on Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the businessesí financials and MRP software used Microsoft SQL, which needs Windows AD for authentication to the database.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and storage recovery of the most important systems. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Data Files) on user workstations and laptops in order to recover mail messages. A not too old offline backup of the client's manufacturing systems made them able to restore these essential services back on-line. Although significant work needed to be completed to recover totally from the Ryuk damage, essential systems were recovered quickly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer sales."

Throughout the next few weeks key milestones in the recovery process were achieved in close collaboration between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over four million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/AP/AR/Inventory Control modules were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was brought online.
  • 90% of the user PCs were back into operation.

"A huge amount of what happened in the early hours is mostly a fog for me, but I will not soon forget the dedication all of you put in to give us our company back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A probable business disaster was evaded with results-oriented experts, a wide spectrum of knowledge, and close teamwork. Although in retrospect the ransomware virus incident detailed here should have been blocked with advanced security solutions and best practices, user training, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get some sleep after we got past the initial push. Everyone did an amazing effort, and if anyone is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in St. Louis a range of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize modern machine learning technology to detect new variants of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching AV products. ProSight ASM protects local and cloud-based resources and offers a single platform to manage the complete malware attack lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent's consultants can also help you to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical files, apps and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to set up ProSight DPS to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to deliver centralized control and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of inspection for incoming email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, reconfigure and debug their connectivity hardware like routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding devices that need critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your IT system running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that all looming issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Find out more about ProSight IT Asset Management service.
For St. Louis 24x7 Ransomware Recovery Services, call Progent at 800-993-9400 or go to Contact Progent.