Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyberplague that represents an existential threat for organizations vulnerable to an assault. Different versions of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause damage. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with frequent as yet unnamed newcomers, not only do encryption of online data files but also infiltrate many configured system protection. Files synched to the cloud can also be ransomed. In a poorly designed system, it can render any recovery useless and basically sets the datacenter back to zero.

Getting back online programs and information following a crypto-ransomware attack becomes a sprint against the clock as the targeted organization fights to contain and clear the virus and to resume mission-critical operations. Since ransomware requires time to spread, attacks are usually launched during weekends and nights, when successful penetrations are likely to take longer to notice. This multiplies the difficulty of quickly assembling and orchestrating a capable mitigation team.

Progent provides a variety of support services for protecting organizations from ransomware events. Among these are team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with artificial intelligence technology to rapidly detect and extinguish day-zero cyber attacks. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the talent and commitment to rebuild a breached network as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber criminals will provide the codes to unencrypt any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the essential components of your IT environment. Absent access to essential information backups, this calls for a wide range of IT skills, top notch team management, and the capability to work continuously until the task is completed.

For decades, Progent has made available professional IT services for companies in Austin and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to quickly ascertain necessary systems and organize the surviving parts of your IT system following a crypto-ransomware attack and assemble them into a functioning system.

Progent's security group uses best of breed project management systems to coordinate the sophisticated restoration process. Progent understands the urgency of working rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to put critical services back on-line as soon as possible.

Case Study: A Successful Ransomware Attack Restoration
A small business hired Progent after their company was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, suspected of using strategies exposed from Americaís NSA organization. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most lucrative versions of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago with around 500 employees. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end brought in Progent.


"I cannot say enough about the care Progent provided us throughout the most stressful period of (our) companyís survival. We most likely would have paid the criminal gangs except for the confidence the Progent group provided us. That you could get our messaging and essential servers back online quicker than 1 week was incredible. Each person I worked with or messaged at Progent was totally committed on getting us working again and was working all day and night to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the key elements that had to be recovered in order to continue departmental operations:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To begin, Progent followed AV/Malware Processes event response industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the task of bringing back online Microsoft AD, the core of enterprise systems built upon Microsoft technology. Exchange email will not work without AD, and the customerís financials and MRP software utilized Microsoft SQL Server, which requires Active Directory for security authorization to the database.

In less than two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then accomplished setup and storage recovery on critical systems. All Exchange schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Offline Data Files) on various PCs and laptops in order to recover email information. A recent offline backup of the client's financials/ERP software made them able to return these essential programs back available to users. Although a lot of work was left to recover completely from the Ryuk virus, the most important systems were restored rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer deliverables."

Over the following month critical milestones in the recovery project were made through close collaboration between Progent consultants and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control functions were completely operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Ninety percent of the desktops and laptops were fully operational.

"So much of what was accomplished in the initial days is mostly a blur for me, but our team will not forget the dedication each of the team accomplished to help get our business back. I have trusted Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This situation was a stunning achievement."

Conclusion
A potential business-killing disaster was averted due to results-oriented experts, a wide array of technical expertise, and close collaboration. Although in post mortem the crypto-ransomware attack described here would have been shut down with modern cyber security systems and security best practices, user education, and appropriate security procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), Iím grateful for letting me get some sleep after we got through the initial push. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Austin a range of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include next-generation AI technology to uncover zero-day strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to address the entire threat lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and enables fast recovery of critical files, apps and virtual machines that have become unavailable or damaged due to component failures, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can provide world-class expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can help you to recover your business-critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to deliver web-based management and world-class protection for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of inspection for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, enhance and troubleshoot their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding devices that need critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network operating efficiently by checking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so that any looming issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Austin 24/7/365 Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.