Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that represents an existential threat for organizations unprepared for an attack. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus additional as yet unnamed newcomers, not only encrypt online files but also infiltrate all configured system restores and backups. Information replicated to cloud environments can also be ransomed. In a vulnerable environment, it can render automatic restoration impossible and effectively knocks the datacenter back to zero.

Recovering services and data following a ransomware attack becomes a race against time as the targeted organization struggles to stop the spread and cleanup the ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to spread, penetrations are frequently sprung on weekends, when successful penetrations are likely to take more time to recognize. This compounds the difficulty of rapidly assembling and organizing a qualified mitigation team.

Progent offers a variety of help services for protecting businesses from crypto-ransomware events. These include team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning capabilities to intelligently discover and suppress zero-day cyber threats. Progent in addition offers the services of seasoned ransomware recovery consultants with the talent and perseverance to rebuild a compromised network as soon as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, paying the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to decrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to setup from scratch the mission-critical components of your Information Technology environment. Without the availability of full information backups, this calls for a broad range of skill sets, professional team management, and the ability to work continuously until the job is complete.

For decades, Progent has offered professional Information Technology services for businesses in Greensboro and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise affords Progent the capability to quickly ascertain important systems and re-organize the remaining parts of your network environment after a ransomware event and assemble them into a functioning system.

Progent's recovery group has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of working swiftly and together with a customerís management and IT staff to assign priority to tasks and to get essential services back on-line as soon as possible.

Client Story: A Successful Ransomware Penetration Recovery
A customer engaged Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state cybercriminals, possibly adopting techniques exposed from Americaís NSA organization. Ryuk goes after specific companies with little room for disruption and is among the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with about 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the attack and were damaged. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.


"I cannot say enough about the help Progent gave us throughout the most stressful time of (our) companyís existence. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent experts gave us. That you were able to get our messaging and important servers back into operation in less than one week was something I thought impossible. Each consultant I interacted with or texted at Progent was laser focused on getting my company operational and was working non-stop to bail us out."

Progent worked hand in hand the client to quickly identify and prioritize the mission critical elements that had to be restored to make it possible to restart business operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the work of bringing back online Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the client's financials and MRP system used Microsoft SQL Server, which requires Active Directory for access to the data.

Within 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then helped perform reinstallations and storage recovery on key applications. All Exchange ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team workstations to recover mail data. A recent offline backup of the businesses financials/ERP software made them able to restore these required services back online. Although significant work still had to be done to recover completely from the Ryuk damage, essential services were restored rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer deliverables."

Over the next month key milestones in the recovery process were made through close collaboration between Progent team members and the customer:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Server with over four million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were completely operational.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the desktops and laptops were operational.

"A huge amount of what transpired that first week is nearly entirely a fog for me, but my team will not forget the countless hours each of the team accomplished to give us our business back. I have entrusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This time was a stunning achievement."

Conclusion
A possible company-ending disaster was avoided due to dedicated experts, a broad range of technical expertise, and tight teamwork. Although in retrospect the crypto-ransomware penetration detailed here could have been stopped with up-to-date security systems and NIST Cybersecurity Framework best practices, team education, and appropriate incident response procedures for information backup and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for letting me get rested after we got past the first week. All of you did an fabulous job, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Greensboro a variety of remote monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services include next-generation AI technology to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to manage the entire malware attack progression including blocking, identification, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you prove compliance with legal and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. For a low monthly cost, ProSight DPS automates and monitors your backup activities and enables fast restoration of vital files, applications and VMs that have become lost or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can provide world-class support to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to provide centralized management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of analysis for inbound email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating complex management processes, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that need important updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT staff and your Progent consultant so that any looming issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Greensboro 24-Hour Crypto-Ransomware Repair Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.