Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that poses an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Multiple generations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause destruction. Newer versions of crypto-ransomware like Ryuk and Hermes, along with more unnamed malware, not only encrypt online data files but also infect most accessible system backups. Data synchronized to cloud environments can also be ransomed. In a vulnerable data protection solution, it can render automated restore operations useless and effectively knocks the entire system back to zero.

Retrieving programs and data after a ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and cleanup the virus and to resume enterprise-critical activity. Because ransomware needs time to move laterally, penetrations are frequently sprung on weekends, when penetrations may take more time to discover. This compounds the difficulty of promptly mobilizing and coordinating a capable response team.

Progent makes available a variety of services for securing enterprises from ransomware penetrations. Among these are user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with AI capabilities to automatically detect and suppress zero-day cyber attacks. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to restore a breached environment as urgently as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the keys to decrypt any of your information. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the mission-critical elements of your IT environment. Absent the availability of essential information backups, this requires a wide complement of skill sets, professional project management, and the willingness to work continuously until the job is done.

For twenty years, Progent has offered expert Information Technology services for businesses in Dayton and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the capability to rapidly ascertain important systems and re-organize the remaining components of your computer network environment following a ransomware event and configure them into a functioning system.

Progent's recovery team of experts utilizes top notch project management tools to coordinate the complex recovery process. Progent appreciates the importance of acting rapidly and together with a customerís management and Information Technology staff to assign priority to tasks and to get critical services back on line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Recovery
A customer contacted Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, suspected of adopting techniques leaked from Americaís National Security Agency. Ryuk goes after specific businesses with little ability to sustain disruption and is among the most profitable iterations of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were eventually encrypted. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.


"I canít tell you enough in regards to the care Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the Hackers if it wasnít for the confidence the Progent group afforded us. That you could get our e-mail system and production applications back on-line in less than a week was something I thought impossible. Every single expert I spoke to or texted at Progent was urgently focused on getting us back on-line and was working day and night on our behalf."

Progent worked with the client to quickly assess and assign priority to the critical services that had to be addressed to make it possible to restart company functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting/MRP
To get going, Progent adhered to ransomware event mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then started the steps of bringing back online Microsoft Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the businessesí accounting and MRP system used Microsoft SQL, which needs Active Directory for security authorization to the information.

Within two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then performed rebuilding and hard drive recovery of key servers. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Folder Files) on team desktop computers and laptops to recover mail data. A not too old offline backup of the customerís financials/MRP software made it possible to return these essential applications back online for users. Although a lot of work still had to be done to recover totally from the Ryuk virus, critical services were recovered rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer orders."

During the following few weeks important milestones in the restoration project were accomplished through tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million historical messages was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were 100 percent restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the user workstations were operational.

"A huge amount of what went on that first week is mostly a haze for me, but my management will not forget the commitment each and every one of the team put in to help get our company back. Iíve trusted Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A probable business-ending catastrophe was averted with dedicated experts, a wide array of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus incident described here would have been stopped with current security technology and best practices, user education, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for making it so I could get rested after we got past the most critical parts. Everyone did an incredible effort, and if anyone is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Dayton a portfolio of online monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services utilize next-generation machine learning technology to uncover zero-day variants of ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to automate the entire threat progression including filtering, identification, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you demonstrate compliance with government and industry data security regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight DPS automates and monitors your backup activities and allows fast recovery of critical data, apps and virtual machines that have become lost or damaged due to component failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's BDR specialists can provide world-class support to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to provide web-based control and comprehensive security for all your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a first line of defense and keeps most threats from making it to your network firewall. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, monitor, enhance and debug their connectivity appliances like routers, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration information of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating devices that need important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save up to half of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For Dayton 24/7/365 CryptoLocker Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.