Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause havoc. Modern versions of crypto-ransomware such as Ryuk and Hermes, plus additional unnamed malware, not only encrypt online data files but also infect most accessible system protection mechanisms. Files synched to the cloud can also be rendered useless. In a poorly architected environment, it can make any recovery impossible and effectively sets the datacenter back to square one.

Recovering services and information after a ransomware event becomes a sprint against the clock as the targeted organization struggles to stop the spread and clear the ransomware and to restore business-critical activity. Because crypto-ransomware requires time to move laterally, attacks are frequently sprung during nights and weekends, when penetrations in many cases take longer to uncover. This multiplies the difficulty of rapidly mobilizing and coordinating a knowledgeable mitigation team.

Progent offers a variety of support services for securing businesses from ransomware attacks. Among these are staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security solutions with artificial intelligence technology to intelligently discover and quarantine new cyber threats. Progent also provides the services of seasoned ransomware recovery engineers with the skills and perseverance to re-deploy a breached system as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed codes to unencrypt all your information. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the critical elements of your IT environment. Without the availability of full system backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work 24x7 until the task is done.

For two decades, Progent has made available expert IT services for companies in Austin and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently determine critical systems and organize the surviving parts of your network environment after a ransomware event and assemble them into an operational system.

Progent's ransomware team of experts uses top notch project management systems to coordinate the complicated restoration process. Progent knows the importance of working swiftly and in concert with a customerís management and IT resources to prioritize tasks and to put the most important systems back online as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Recovery
A business sought out Progent after their company was brought down by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, possibly adopting technology exposed from the United States National Security Agency. Ryuk seeks specific companies with little room for disruption and is one of the most profitable incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 employees. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.


"I cannot thank you enough about the expertise Progent provided us during the most fearful period of (our) businesses survival. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent team gave us. The fact that you could get our messaging and production servers back in less than a week was beyond my wildest dreams. Each expert I talked with or e-mailed at Progent was laser focused on getting us operational and was working all day and night on our behalf."

Progent worked with the customer to rapidly assess and prioritize the most important applications that had to be restored in order to resume departmental operations:

  • Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed Anti-virus penetration mitigation best practices by stopping lateral movement and cleaning up infected systems. Progent then started the task of bringing back online Windows Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's accounting and MRP system leveraged SQL Server, which depends on Active Directory for authentication to the information.

Within two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then completed rebuilding and hard drive recovery on the most important servers. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Folder Files) on user desktop computers to recover email data. A not too old off-line backup of the client's financials/ERP software made them able to restore these vital programs back online for users. Although a lot of work remained to recover completely from the Ryuk attack, critical services were restored quickly:


"For the most part, the production line operation did not miss a beat and we produced all customer shipments."

Throughout the next month important milestones in the recovery project were completed through close collaboration between Progent engineers and the client:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Exchange Server with over four million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control modules were completely recovered.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Most of the user workstations were functioning as before the incident.

"Much of what transpired those first few days is mostly a blur for me, but we will not soon forget the care all of you accomplished to give us our company back. Iíve entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A likely enterprise-killing disaster was avoided through the efforts of dedicated professionals, a broad spectrum of technical expertise, and tight teamwork. Although in retrospect the ransomware attack detailed here should have been identified and stopped with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well thought out incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, removal, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for making it so I could get some sleep after we got past the first week. All of you did an incredible job, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Austin a variety of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day variants of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based AV products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you demonstrate compliance with government and industry information security regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup activities and enables fast restoration of critical data, apps and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can deliver world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security companies to provide web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of inspection for inbound email. For outbound email, the onsite gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, track, reconfigure and debug their networking appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that require critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT staff and your assigned Progent consultant so any potential issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about ProSight IT Asset Management service.
For Austin 24-7 Ransomware Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.