Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses unprepared for an attack. Multiple generations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for years and continue to cause destruction. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line information but also infiltrate all configured system backup. Data replicated to the cloud can also be ransomed. In a vulnerable environment, this can make automatic recovery useless and effectively knocks the network back to zero.

Restoring programs and information after a ransomware event becomes a sprint against time as the targeted business struggles to contain the damage and cleanup the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are usually launched at night, when successful penetrations typically take longer to notice. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable mitigation team.

Progent has an assortment of services for protecting enterprises from ransomware attacks. These include team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security gateways with machine learning capabilities to rapidly identify and disable day-zero cyber attacks. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the talent and commitment to rebuild a breached system as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
Following a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the keys to decrypt any of your information. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the vital elements of your IT environment. Absent the availability of complete system backups, this requires a broad range of IT skills, top notch project management, and the willingness to work non-stop until the recovery project is complete.

For decades, Progent has made available expert IT services for businesses in St. Louis and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the skills to efficiently understand important systems and re-organize the remaining parts of your Information Technology system following a ransomware event and configure them into a functioning system.

Progent's recovery team of experts deploys powerful project management tools to orchestrate the complex restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and IT staff to prioritize tasks and to put essential applications back on line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Virus Recovery
A customer sought out Progent after their organization was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored hackers, suspected of adopting techniques exposed from Americaís National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is one of the most lucrative examples of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I cannot tell you enough in regards to the help Progent provided us during the most stressful period of (our) businesses life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent team provided us. The fact that you could get our messaging and critical servers back online faster than a week was something I thought impossible. Every single person I got help from or texted at Progent was urgently focused on getting us working again and was working all day and night on our behalf."

Progent worked together with the client to rapidly determine and assign priority to the key services that needed to be restored to make it possible to continue company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent followed Anti-virus event response industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the steps of restoring Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not operate without Active Directory, and the businessesí MRP software used Microsoft SQL, which requires Active Directory services for authentication to the information.

In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then performed reinstallations and storage recovery of the most important systems. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Outlook Email Offline Data Files) on staff desktop computers to recover mail data. A not too old off-line backup of the customerís accounting/ERP software made them able to recover these vital applications back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, the most important systems were restored quickly:


"For the most part, the production operation showed little impact and we did not miss any customer shipments."

Over the following few weeks important milestones in the restoration process were achieved through close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Exchange Server containing more than four million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were 100% operational.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the desktops and laptops were operational.

"A huge amount of what was accomplished those first few days is mostly a fog for me, but I will not soon forget the urgency each and every one of the team put in to give us our company back. I have been working with Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A probable business-ending disaster was averted due to dedicated experts, a broad range of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware incident described here would have been stopped with up-to-date cyber security systems and recognized best practices, user education, and well thought out incident response procedures for information protection and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), Iím grateful for allowing me to get rested after we got past the first week. Everyone did an incredible effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in St. Louis a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover new strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to address the entire malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also assist you to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates your backup processes and enables fast recovery of vital data, applications and virtual machines that have become lost or damaged as a result of hardware failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's cloud backup specialists can deliver world-class support to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to provide web-based control and comprehensive protection for all your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, optimize and troubleshoot their networking hardware like routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating complex network management processes, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, finding appliances that need important updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT personnel and your Progent consultant so that any looming problems can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save up to 50% of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.
For St. Louis 24/7/365 Ransomware Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.