Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations poorly prepared for an assault. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as frequent unnamed viruses, not only encrypt online critical data but also infect all available system protection. Data synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can make any restore operations hopeless and effectively knocks the network back to square one.

Recovering programs and data following a crypto-ransomware attack becomes a race against the clock as the targeted business fights to stop lateral movement and remove the ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware requires time to spread, assaults are frequently launched at night, when successful attacks tend to take more time to notice. This multiplies the difficulty of promptly marshalling and coordinating an experienced mitigation team.

Progent offers a range of help services for protecting organizations from ransomware attacks. Among these are staff training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with machine learning capabilities to intelligently detect and suppress new threats. Progent also can provide the services of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a breached network as urgently as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed codes to decrypt all your files. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the critical elements of your IT environment. Absent the availability of essential system backups, this calls for a wide complement of skills, professional team management, and the willingness to work 24x7 until the job is completed.

For decades, Progent has provided professional Information Technology services for businesses in Dayton and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of experience provides Progent the ability to rapidly ascertain necessary systems and organize the surviving pieces of your Information Technology system after a crypto-ransomware attack and configure them into an operational system.

Progent's recovery team of experts utilizes state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of acting swiftly and in concert with a client's management and IT resources to prioritize tasks and to get the most important applications back on line as soon as possible.

Customer Story: A Successful Ransomware Attack Restoration
A small business engaged Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored criminal gangs, possibly adopting algorithms exposed from the U.S. NSA organization. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is one of the most profitable iterations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has around 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the intrusion and were damaged. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot speak enough about the support Progent provided us throughout the most stressful time of (our) businesses life. We would have paid the cybercriminals if not for the confidence the Progent group provided us. That you were able to get our messaging and key applications back on-line quicker than five days was earth shattering. Every single consultant I interacted with or messaged at Progent was amazingly focused on getting us back online and was working day and night to bail us out."

Progent worked together with the client to rapidly get our arms around and prioritize the critical elements that had to be recovered in order to restart company operations:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes penetration response best practices by halting the spread and clearing infected systems. Progent then started the work of restoring Active Directory, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the client's accounting and MRP applications utilized Microsoft SQL Server, which needs Active Directory services for access to the databases.

Within two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated setup and hard drive recovery on critical servers. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user PCs to recover mail data. A not too old offline backup of the client's accounting/ERP systems made them able to restore these required services back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, critical services were recovered quickly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."

Throughout the following couple of weeks critical milestones in the restoration process were accomplished through close cooperation between Progent team members and the client:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Ninety percent of the user PCs were fully operational.

"A lot of what went on during the initial response is mostly a haze for me, but I will not soon forget the dedication each and every one of you accomplished to give us our company back. I have trusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a life saver."

Conclusion
A likely business extinction catastrophe was avoided through the efforts of dedicated professionals, a wide array of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware attack detailed here would have been identified and prevented with modern cyber security technology solutions and best practices, user training, and well designed incident response procedures for information protection and proper patching controls, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), Iím grateful for letting me get rested after we made it over the initial push. All of you did an amazing effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Dayton a range of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize modern artificial intelligence technology to uncover zero-day strains of crypto-ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the entire threat lifecycle including blocking, detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also help you to set up and verify a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates your backup processes and allows rapid restoration of vital files, applications and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can provide world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security vendors to provide web-based management and world-class security for your inbound and outbound email. The hybrid structure of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a further level of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, reconfigure and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent consultant so that all looming problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can save up to half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Dayton 24x7x365 Crypto-Ransomware Removal Consultants, call Progent at 800-993-9400 or go to Contact Progent.