Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses vulnerable to an assault. Different versions of crypto-ransomware like the Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict damage. Modern strains of crypto-ransomware like Ryuk and Hermes, plus additional as yet unnamed malware, not only do encryption of on-line information but also infect any available system protection mechanisms. Files replicated to cloud environments can also be rendered useless. In a poorly architected environment, this can render any recovery useless and basically sets the network back to square one.

Getting back on-line applications and data after a ransomware attack becomes a sprint against the clock as the targeted organization fights to contain and eradicate the ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware requires time to replicate, assaults are often launched during weekends and nights, when penetrations tend to take longer to detect. This compounds the difficulty of promptly marshalling and organizing an experienced response team.

Progent makes available a variety of solutions for protecting businesses from ransomware events. Among these are team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence capabilities to automatically discover and quarantine day-zero cyber threats. Progent in addition can provide the services of veteran crypto-ransomware recovery consultants with the skills and commitment to rebuild a breached network as urgently as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to decrypt all your information. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the key components of your IT environment. Without access to full information backups, this calls for a wide complement of skill sets, top notch project management, and the capability to work continuously until the task is completed.

For twenty years, Progent has offered certified expert IT services for businesses in Greensboro and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise affords Progent the capability to rapidly identify important systems and re-organize the remaining pieces of your network environment after a ransomware event and configure them into a functioning system.

Progent's ransomware team has top notch project management systems to orchestrate the sophisticated restoration process. Progent understands the importance of working swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to get the most important services back on-line as soon as possible.

Client Case Study: A Successful Ransomware Penetration Response
A business engaged Progent after their company was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk targets specific companies with limited ability to sustain operational disruption and is one of the most profitable iterations of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago with about 500 workers. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200K) and wishfully thinking for the best, but in the end reached out to Progent.


"I cannot tell you enough in regards to the help Progent gave us during the most stressful period of (our) companyís existence. We may have had to pay the Hackers if it wasnít for the confidence the Progent experts gave us. That you could get our e-mail system and production servers back into operation faster than seven days was something I thought impossible. Each consultant I spoke to or texted at Progent was amazingly focused on getting us back on-line and was working non-stop to bail us out."

Progent worked with the client to quickly identify and prioritize the essential areas that needed to be restored to make it possible to continue business functions:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the steps of recovering Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the businessesí accounting and MRP applications leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the information.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then performed rebuilding and storage recovery on key applications. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user PCs and laptops to recover email data. A recent off-line backup of the businesses financials/MRP systems made them able to restore these required programs back servicing users. Although a lot of work remained to recover totally from the Ryuk damage, critical services were restored quickly:


"For the most part, the production manufacturing operation survived unscathed and we delivered all customer orders."

Over the following couple of weeks critical milestones in the recovery process were completed through tight cooperation between Progent team members and the client:

  • Internal web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were 100% recovered.
  • A new Palo Alto 850 firewall was installed.
  • Ninety percent of the desktop computers were functioning as before the incident.

"A lot of what was accomplished in the early hours is nearly entirely a fog for me, but we will not soon forget the countless hours all of you accomplished to help get our business back. I have entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This time was no exception but maybe more Herculean."

Conclusion
A potential business catastrophe was averted with dedicated professionals, a wide range of IT skills, and tight collaboration. Although upon completion of forensics the ransomware penetration detailed here could have been identified and disabled with up-to-date security systems and best practices, user education, and properly executed incident response procedures for information backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get rested after we got past the first week. All of you did an incredible effort, and if anyone is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Greensboro a range of remote monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to manage the entire threat lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also help your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed service for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates and monitors your backup processes and allows fast restoration of critical data, applications and VMs that have become unavailable or damaged due to component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to provide web-based control and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of inspection for incoming email. For outbound email, the local gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, optimize and debug their networking appliances such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always updated, copies and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating devices that need important updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your assigned Progent engineering consultant so that any looming issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard data about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Greensboro 24x7 Crypto Repair Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.