Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an extinction-level threat for organizations unprepared for an attack. Different iterations of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as more unnamed malware, not only do encryption of online data files but also infect any accessible system protection. Data replicated to the cloud can also be corrupted. In a poorly designed system, it can make automatic restore operations hopeless and basically sets the datacenter back to square one.

Retrieving applications and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted organization fights to contain and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware needs time to spread, attacks are frequently launched during nights and weekends, when successful attacks in many cases take longer to identify. This multiplies the difficulty of rapidly mobilizing and coordinating a capable response team.

Progent has a variety of help services for protecting businesses from crypto-ransomware attacks. Among these are staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with artificial intelligence technology to quickly detect and suppress zero-day cyber threats. Progent in addition offers the assistance of veteran ransomware recovery engineers with the talent and perseverance to rebuild a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed codes to decipher all your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the vital elements of your Information Technology environment. Without the availability of full information backups, this requires a broad range of skills, well-coordinated project management, and the willingness to work 24x7 until the job is completed.

For decades, Progent has provided certified expert Information Technology services for companies in El Paso and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the ability to rapidly identify important systems and organize the surviving components of your network environment after a crypto-ransomware event and assemble them into a functioning network.

Progent's security team of experts deploys top notch project management applications to orchestrate the complex recovery process. Progent understands the importance of acting swiftly and in unison with a customerís management and IT staff to assign priority to tasks and to put critical services back online as fast as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Restoration
A business contacted Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored hackers, possibly using technology exposed from the United States NSA organization. Ryuk goes after specific companies with little or no tolerance for disruption and is one of the most profitable examples of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but in the end engaged Progent.


"I canít speak enough in regards to the help Progent gave us during the most critical period of (our) companyís existence. We had little choice but to pay the criminal gangs if it wasnít for the confidence the Progent team provided us. That you were able to get our e-mail and important servers back sooner than one week was amazing. Every single consultant I spoke to or e-mailed at Progent was urgently focused on getting us operational and was working breakneck pace to bail us out."

Progent worked with the customer to quickly identify and prioritize the critical elements that had to be restored in order to resume business functions:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus penetration response best practices by isolating and cleaning up infected systems. Progent then started the process of recovering Microsoft AD, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not operate without Active Directory, and the client's financials and MRP software utilized Microsoft SQL, which needs Windows AD for security authorization to the databases.

Within 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery on essential systems. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble intact OST data files (Outlook Email Offline Folder Files) on user PCs to recover email information. A recent off-line backup of the client's financials/MRP systems made it possible to return these required applications back available to users. Although major work was left to recover fully from the Ryuk virus, critical systems were recovered rapidly:


"For the most part, the production operation never missed a beat and we produced all customer sales."

During the next couple of weeks critical milestones in the restoration process were completed through tight collaboration between Progent consultants and the customer:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory functions were completely functional.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the user desktops were being used by staff.

"So much of what occurred in the initial days is nearly entirely a fog for me, but my team will not forget the care all of your team accomplished to give us our company back. I have utilized Progent for at least 10 years, possibly more, and every time Progent has come through and delivered. This situation was a life saver."

Conclusion
A likely business disaster was evaded by dedicated experts, a wide range of technical expertise, and close collaboration. Although in retrospect the ransomware penetration detailed here should have been prevented with up-to-date security systems and NIST Cybersecurity Framework best practices, staff education, and appropriate security procedures for information protection and applying software patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we made it through the initial fire. All of you did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in El Paso a portfolio of online monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services utilize modern AI technology to detect zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including protection, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering through leading-edge tools packaged within one agent accessible from a unified console. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you prove compliance with legal and industry information protection standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows fast restoration of critical data, applications and virtual machines that have become lost or damaged due to component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery consultants can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to deliver web-based control and comprehensive security for all your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device provides a further level of analysis for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that require critical software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate up to half of time spent looking for vital information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For El Paso 24x7 Crypto-Ransomware Recovery Help, reach out to Progent at 800-993-9400 or go to Contact Progent.