Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that represents an extinction-level danger for organizations unprepared for an assault. Different iterations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to inflict havoc. The latest versions of ransomware like Ryuk and Hermes, along with daily unnamed newcomers, not only encrypt online files but also infect most configured system restores and backups. Information replicated to cloud environments can also be ransomed. In a poorly designed environment, this can render automatic restore operations impossible and effectively sets the datacenter back to zero.

Restoring applications and information following a ransomware attack becomes a race against time as the victim fights to stop lateral movement and cleanup the virus and to restore business-critical operations. Since ransomware requires time to spread, penetrations are usually sprung during nights and weekends, when penetrations in many cases take longer to recognize. This multiplies the difficulty of rapidly assembling and organizing a capable response team.

Progent offers a variety of support services for protecting enterprises from crypto-ransomware attacks. Among these are user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with AI capabilities to quickly discover and extinguish zero-day cyber attacks. Progent in addition provides the services of seasoned ransomware recovery professionals with the skills and commitment to restore a breached system as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to unencrypt any or all of your data. Kaspersky estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the mission-critical elements of your Information Technology environment. Without access to essential data backups, this calls for a broad complement of IT skills, professional project management, and the ability to work continuously until the recovery project is over.

For twenty years, Progent has made available certified expert Information Technology services for companies in Austin and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to quickly ascertain important systems and organize the surviving parts of your IT environment following a ransomware attack and configure them into a functioning network.

Progent's security team of experts utilizes state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of working rapidly and in unison with a customerís management and IT resources to assign priority to tasks and to put critical applications back on-line as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Response
A business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been created by North Korean state criminal gangs, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk goes after specific companies with limited room for disruption and is among the most lucrative iterations of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has about 500 workers. The Ryuk attack had brought down all essential operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and praying for the best, but in the end brought in Progent.


"I cannot tell you enough about the expertise Progent gave us during the most fearful period of (our) businesses existence. We had little choice but to pay the cybercriminals except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and important applications back sooner than 1 week was amazing. Every single expert I worked with or communicated with at Progent was amazingly focused on getting us working again and was working breakneck pace on our behalf."

Progent worked together with the client to rapidly determine and prioritize the critical areas that needed to be restored in order to continue departmental functions:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by isolating and clearing infected systems. Progent then initiated the work of rebuilding Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Exchange messaging will not work without AD, and the client's financials and MRP applications used Microsoft SQL Server, which requires Active Directory for security authorization to the databases.

Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery of needed servers. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Offline Folder Files) on team desktop computers in order to recover email messages. A recent off-line backup of the businesses financials/ERP systems made it possible to restore these essential programs back online. Although significant work still had to be done to recover totally from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer deliverables."

Throughout the next few weeks critical milestones in the recovery project were accomplished in close collaboration between Progent consultants and the customer:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than 4 million archived messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were completely restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Most of the desktop computers were functioning as before the incident.

"Much of what transpired during the initial response is mostly a haze for me, but we will not forget the commitment each of your team put in to help get our business back. I have trusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A potential enterprise-killing catastrophe was evaded with top-tier professionals, a broad spectrum of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus attack detailed here could have been shut down with up-to-date cyber security technology solutions and best practices, user and IT administrator training, and well designed security procedures for information protection and applying software patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), Iím grateful for allowing me to get some sleep after we made it through the initial fire. All of you did an incredible effort, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Austin a variety of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include modern machine learning technology to uncover zero-day strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the complete threat lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you prove compliance with legal and industry information security standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also assist your company to install and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates your backup activities and allows fast recovery of critical data, apps and virtual machines that have become lost or damaged as a result of component failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can provide world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPPA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide centralized control and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of analysis for inbound email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, track, reconfigure and troubleshoot their networking appliances like switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, locating appliances that require critical software patches, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT personnel and your Progent consultant so that any potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.
For Austin 24-Hour Ransomware Remediation Services, reach out to Progent at 800-993-9400 or go to Contact Progent.