Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses poorly prepared for an attack. Versions of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still inflict havoc. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as additional unnamed newcomers, not only do encryption of online data but also infect any available system backups. Data replicated to cloud environments can also be rendered useless. In a poorly designed environment, it can make any restore operations useless and effectively sets the datacenter back to square one.

Getting back online applications and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and cleanup the ransomware and to resume mission-critical activity. Due to the fact that ransomware takes time to move laterally, attacks are often launched during weekends and nights, when successful penetrations in many cases take longer to identify. This multiplies the difficulty of quickly mobilizing and orchestrating a capable mitigation team.

Progent makes available an assortment of help services for protecting businesses from ransomware penetrations. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with artificial intelligence technology to automatically identify and quarantine day-zero cyber attacks. Progent also offers the services of veteran crypto-ransomware recovery professionals with the track record and perseverance to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt any or all of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the vital elements of your IT environment. Without the availability of full information backups, this calls for a wide complement of skills, professional project management, and the willingness to work continuously until the recovery project is finished.

For decades, Progent has offered professional Information Technology services for companies in Detroit and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise affords Progent the ability to knowledgably understand necessary systems and organize the surviving components of your network system following a crypto-ransomware event and configure them into an operational system.

Progent's security team of experts has powerful project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of acting rapidly and together with a customerís management and Information Technology staff to prioritize tasks and to put essential systems back online as soon as humanly possible.

Customer Story: A Successful Ransomware Attack Response
A business escalated to Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, possibly adopting techniques leaked from Americaís National Security Agency. Ryuk goes after specific organizations with limited room for operational disruption and is among the most lucrative examples of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area with around 500 staff members. The Ryuk penetration had brought down all essential operations and manufacturing processes. Most of the client's system backups had been online at the start of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately utilized Progent.


"I canít speak enough about the expertise Progent gave us during the most fearful time of (our) companyís life. We had little choice but to pay the Hackers except for the confidence the Progent experts afforded us. That you were able to get our e-mail and production servers back into operation faster than 1 week was amazing. Every single expert I got help from or communicated with at Progent was urgently focused on getting us operational and was working day and night on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the mission critical services that had to be restored in order to resume departmental functions:

  • Active Directory
  • Electronic Mail
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by halting lateral movement and disinfecting systems. Progent then initiated the steps of bringing back online Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Active Directory, and the client's MRP software utilized Microsoft SQL, which depends on Active Directory for security authorization to the database.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery on key servers. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Off-Line Folder Files) on various workstations in order to recover email information. A not too old offline backup of the client's financials/ERP systems made them able to restore these essential applications back servicing users. Although significant work still had to be done to recover totally from the Ryuk damage, essential systems were recovered rapidly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer orders."

During the next few weeks critical milestones in the restoration process were achieved in close cooperation between Progent engineers and the client:

  • Internal web sites were restored without losing any information.
  • The MailStore Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Most of the user desktops were operational.

"Much of what went on in the early hours is mostly a blur for me, but I will not soon forget the urgency each and every one of you accomplished to give us our business back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was a life saver."

Conclusion
A potential enterprise-killing catastrophe was dodged with top-tier professionals, a wide array of technical expertise, and tight teamwork. Although in post mortem the ransomware incident detailed here should have been identified and prevented with current cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and well thought out security procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for letting me get rested after we made it past the most critical parts. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Detroit a portfolio of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence technology to uncover new strains of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to manage the complete threat progression including filtering, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent can also assist you to set up and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows fast recovery of critical data, apps and virtual machines that have become lost or damaged due to component breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced support to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your business-critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to deliver web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, reconfigure and troubleshoot their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating appliances that need critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so any looming problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about ProSight IT Asset Management service.
For Detroit 24x7 CryptoLocker Cleanup Help, contact Progent at 800-993-9400 or go to Contact Progent.