Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with more unnamed newcomers, not only encrypt on-line data files but also infect any available system restores and backups. Data synchronized to cloud environments can also be ransomed. In a poorly architected environment, it can make any restoration useless and basically knocks the datacenter back to zero.

Recovering programs and data after a ransomware outage becomes a sprint against the clock as the victim fights to contain the damage and eradicate the ransomware and to restore business-critical operations. Since ransomware needs time to move laterally, attacks are usually launched on weekends, when penetrations tend to take more time to identify. This multiplies the difficulty of rapidly assembling and coordinating a knowledgeable response team.

Progent has an assortment of solutions for securing enterprises from crypto-ransomware penetrations. Among these are team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with machine learning capabilities to intelligently detect and suppress zero-day threats. Progent in addition offers the assistance of expert crypto-ransomware recovery consultants with the skills and commitment to re-deploy a compromised network as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the needed keys to decipher all your information. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the key elements of your IT environment. Without the availability of full system backups, this calls for a broad range of skill sets, professional team management, and the ability to work non-stop until the recovery project is complete.

For decades, Progent has made available expert IT services for businesses in Dallas and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently identify critical systems and organize the surviving parts of your network environment after a ransomware event and configure them into a functioning system.

Progent's security team has top notch project management applications to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting rapidly and in unison with a customerís management and Information Technology team members to prioritize tasks and to get the most important services back online as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Response
A business escalated to Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored criminal gangs, possibly using technology exposed from the U.S. National Security Agency. Ryuk goes after specific organizations with little or no room for disruption and is one of the most profitable versions of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago with around 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom (more than $200,000) and hoping for the best, but in the end made the decision to use Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most fearful time of (our) businesses survival. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent experts afforded us. That you could get our e-mail and production servers back into operation faster than one week was incredible. Each staff member I worked with or communicated with at Progent was totally committed on getting our system up and was working all day and night on our behalf."

Progent worked with the customer to quickly understand and assign priority to the key systems that needed to be restored to make it possible to restart business functions:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent followed Anti-virus penetration response industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange email will not work without Windows AD, and the client's financials and MRP software used Microsoft SQL, which needs Windows AD for security authorization to the information.

In less than 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery of essential servers. All Microsoft Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Folder Files) on user PCs to recover email information. A recent offline backup of the customerís accounting/ERP systems made it possible to recover these vital services back online for users. Although major work needed to be completed to recover totally from the Ryuk virus, the most important services were restored rapidly:


"For the most part, the production operation survived unscathed and we made all customer shipments."

During the next couple of weeks key milestones in the recovery process were completed through tight cooperation between Progent consultants and the customer:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Exchange Server exceeding four million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the desktops and laptops were operational.

"Much of what transpired those first few days is mostly a fog for me, but I will not forget the urgency each of you put in to give us our business back. Iíve been working together with Progent for at least 10 years, maybe more, and every time Progent has shined and delivered. This time was a life saver."

Conclusion
A likely enterprise-killing catastrophe was averted by results-oriented professionals, a broad range of technical expertise, and close collaboration. Although in hindsight the crypto-ransomware virus penetration detailed here would have been shut down with up-to-date security technology solutions and recognized best practices, staff education, and well designed incident response procedures for information backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), Iím grateful for making it so I could get some sleep after we got past the first week. All of you did an fabulous job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Dallas a range of online monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services include modern AI technology to uncover new strains of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior machine learning tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV tools. ProSight ASM protects local and cloud resources and offers a single platform to automate the complete threat lifecycle including filtering, identification, mitigation, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also help you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery. For a low monthly cost, ProSight DPS automates your backup processes and allows fast recovery of vital files, applications and virtual machines that have become unavailable or corrupted due to component breakdowns, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can deliver advanced support to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security vendors to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that require important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by checking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that all potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can eliminate as much as half of time spent searching for vital information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Dallas 24-Hour Crypto-Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.