Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes unprepared for an assault. Different versions of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict damage. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with more as yet unnamed viruses, not only do encryption of online data files but also infect most configured system protection. Information replicated to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make automatic restore operations useless and effectively sets the datacenter back to zero.

Getting back online applications and information after a ransomware outage becomes a race against the clock as the victim struggles to contain the damage and clear the virus and to restore enterprise-critical operations. Since ransomware requires time to spread, assaults are usually launched during nights and weekends, when successful attacks are likely to take more time to detect. This multiplies the difficulty of promptly assembling and orchestrating a qualified response team.

Progent makes available a variety of solutions for protecting enterprises from ransomware attacks. Among these are staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence capabilities to rapidly detect and suppress zero-day threats. Progent in addition provides the services of expert ransomware recovery professionals with the talent and perseverance to rebuild a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decipher any or all of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the vital elements of your Information Technology environment. Without access to full information backups, this requires a wide range of skills, well-coordinated team management, and the willingness to work non-stop until the job is completed.

For twenty years, Progent has provided professional IT services for companies in Edmonton and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly ascertain necessary systems and organize the surviving parts of your network environment after a crypto-ransomware event and assemble them into an operational network.

Progent's recovery group has top notch project management systems to orchestrate the complex restoration process. Progent understands the urgency of working quickly and in concert with a customerís management and IT resources to prioritize tasks and to get the most important systems back on-line as soon as possible.

Case Study: A Successful Ransomware Attack Response
A client sought out Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, possibly using algorithms leaked from Americaís National Security Agency. Ryuk seeks specific businesses with little tolerance for operational disruption and is one of the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.


"I canít thank you enough about the support Progent provided us during the most stressful period of (our) companyís existence. We would have paid the cybercriminals except for the confidence the Progent team provided us. That you were able to get our messaging and key applications back on-line quicker than 1 week was amazing. Every single consultant I spoke to or messaged at Progent was laser focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked with the client to rapidly get our arms around and prioritize the essential systems that needed to be restored in order to continue company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent adhered to Anti-virus event response industry best practices by halting the spread and performing virus removal steps. Progent then began the process of bringing back online Microsoft AD, the heart of enterprise environments built on Microsoft technology. Exchange messaging will not function without Windows AD, and the client's accounting and MRP applications used Microsoft SQL, which needs Active Directory for security authorization to the data.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery of needed applications. All Exchange data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST data files (Outlook Offline Data Files) on user workstations and laptops in order to recover mail information. A not too old offline backup of the businesses financials/MRP software made it possible to restore these required programs back on-line. Although significant work needed to be completed to recover totally from the Ryuk attack, essential systems were returned to operations rapidly:


"For the most part, the production manufacturing operation survived unscathed and we delivered all customer sales."

Over the next few weeks critical milestones in the recovery process were accomplished in tight collaboration between Progent team members and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the user PCs were fully operational.

"A huge amount of what transpired in the early hours is nearly entirely a haze for me, but my management will not soon forget the dedication each and every one of you put in to help get our company back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This event was a Herculean accomplishment."

Conclusion
A probable business disaster was dodged by hard-working experts, a wide array of knowledge, and close collaboration. Although in hindsight the ransomware attack described here would have been blocked with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get rested after we got over the first week. All of you did an amazing effort, and if anyone is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Edmonton a portfolio of online monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to automate the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of vital files, applications and VMs that have become lost or damaged as a result of hardware failures, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver centralized management and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway device adds a further layer of inspection for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, finding appliances that require critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT staff and your assigned Progent consultant so that any looming issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Edmonton 24/7 Crypto Cleanup Help, reach out to Progent at 800-462-8800 or go to Contact Progent.