Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still cause harm. Recent strains of ransomware such as Ryuk and Hermes, along with more unnamed newcomers, not only do encryption of on-line critical data but also infiltrate any accessible system protection. Files replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, this can make any restore operations impossible and basically knocks the network back to square one.

Getting back on-line programs and data after a ransomware outage becomes a sprint against the clock as the targeted business struggles to contain the damage and clear the crypto-ransomware and to resume mission-critical activity. Because ransomware needs time to replicate, assaults are usually launched at night, when successful penetrations typically take more time to identify. This compounds the difficulty of quickly assembling and coordinating a capable mitigation team.

Progent makes available an assortment of solutions for protecting enterprises from ransomware events. These include staff training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with artificial intelligence technology to rapidly discover and extinguish zero-day cyber threats. Progent in addition offers the assistance of veteran crypto-ransomware recovery engineers with the track record and perseverance to rebuild a breached network as quickly as possible.

Progent's Ransomware Restoration Services
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to decrypt any of your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the vital components of your Information Technology environment. Without access to essential data backups, this requires a broad complement of IT skills, well-coordinated project management, and the ability to work continuously until the recovery project is complete.

For two decades, Progent has made available professional Information Technology services for companies in Dallas and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise affords Progent the skills to knowledgably determine necessary systems and consolidate the surviving pieces of your IT environment following a ransomware penetration and rebuild them into a functioning network.

Progent's security team utilizes powerful project management tools to coordinate the sophisticated recovery process. Progent knows the importance of working swiftly and in unison with a client's management and IT staff to prioritize tasks and to get critical services back on line as soon as possible.

Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business hired Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state hackers, possibly using approaches leaked from the U.S. NSA organization. Ryuk attacks specific organizations with little ability to sustain operational disruption and is one of the most lucrative instances of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago and has around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of $200K) and hoping for good luck, but ultimately reached out to Progent.


"I cannot speak enough about the expertise Progent provided us throughout the most stressful period of (our) businesses life. We had little choice but to pay the criminal gangs except for the confidence the Progent experts gave us. The fact that you were able to get our messaging and important servers back on-line quicker than one week was earth shattering. Each expert I got help from or messaged at Progent was totally committed on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly assess and prioritize the essential applications that needed to be restored in order to restart company operations:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To begin, Progent followed Anti-virus event response best practices by stopping the spread and cleaning systems of viruses. Progent then initiated the process of restoring Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Exchange email will not operate without AD, and the businessesí MRP software used Microsoft SQL, which depends on Active Directory services for access to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then assisted with setup and storage recovery of needed applications. All Exchange schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Offline Folder Files) on staff workstations in order to recover mail messages. A recent offline backup of the client's financials/ERP systems made them able to restore these essential programs back available to users. Although a lot of work remained to recover fully from the Ryuk damage, core systems were restored quickly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer orders."

Over the following month important milestones in the restoration project were made through tight cooperation between Progent engineers and the customer:

  • Self-hosted web sites were returned to operation with no loss of data.
  • The MailStore Exchange Server exceeding 4 million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100 percent functional.
  • A new Palo Alto 850 firewall was brought on-line.
  • Ninety percent of the desktops and laptops were operational.

"A lot of what transpired that first week is nearly entirely a fog for me, but my management will not forget the care each and every one of the team put in to give us our business back. I have utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A probable business extinction catastrophe was evaded due to results-oriented experts, a wide array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus penetration described here would have been prevented with advanced security solutions and best practices, user and IT administrator education, and well thought out security procedures for information backup and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thanks very much for letting me get rested after we made it over the initial fire. Everyone did an fabulous job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Dallas a variety of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI capability to uncover new variants of crypto-ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to automate the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering via cutting-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with legal and industry data security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of vital data, apps and VMs that have become lost or corrupted due to hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can deliver world-class support to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPPA, FIRPA, and PCI and, whenever needed, can help you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to provide web-based management and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, enhance and debug their networking appliances such as switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious network management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, locating devices that require critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network running efficiently by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management personnel and your Progent engineering consultant so any looming problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By updating and organizing your network documentation, you can save as much as 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Dallas Crypto-Ransomware Removal Consultants, call Progent at 800-993-9400 or go to Contact Progent.