Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an enterprise-level threat for organizations unprepared for an assault. Different iterations of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with frequent unnamed newcomers, not only encrypt on-line data but also infect all configured system restores and backups. Files synched to cloud environments can also be ransomed. In a poorly designed environment, this can make any restoration hopeless and basically sets the datacenter back to square one.

Recovering services and data following a ransomware attack becomes a sprint against the clock as the victim struggles to contain the damage and remove the ransomware and to restore mission-critical activity. Because ransomware requires time to move laterally, assaults are frequently sprung at night, when attacks typically take longer to uncover. This compounds the difficulty of quickly assembling and coordinating a capable response team.

Progent offers an assortment of help services for securing organizations from ransomware penetrations. These include user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security solutions with artificial intelligence capabilities to rapidly discover and disable new cyber attacks. Progent in addition can provide the services of veteran crypto-ransomware recovery consultants with the talent and commitment to re-deploy a breached environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware penetration, sending the ransom in cryptocurrency does not guarantee that distant criminals will respond with the needed codes to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the critical components of your IT environment. Absent the availability of essential information backups, this calls for a broad complement of skills, well-coordinated project management, and the capability to work non-stop until the recovery project is finished.

For decades, Progent has made available certified expert IT services for companies in Eugene and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience gives Progent the capability to efficiently determine critical systems and organize the surviving parts of your network system after a ransomware attack and assemble them into a functioning system.

Progent's recovery group has top notch project management applications to orchestrate the complicated restoration process. Progent knows the importance of working swiftly and in concert with a client's management and IT staff to prioritize tasks and to put the most important systems back online as fast as humanly possible.

Client Story: A Successful Ransomware Incident Restoration
A small business sought out Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, possibly using algorithms exposed from the United States NSA organization. Ryuk targets specific businesses with little room for disruption and is among the most profitable examples of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but ultimately brought in Progent.


"I cannot say enough about the care Progent provided us throughout the most fearful time of (our) businesses life. We may have had to pay the hackers behind this attack except for the confidence the Progent team gave us. That you could get our messaging and key servers back into operation faster than 1 week was earth shattering. Every single expert I got help from or messaged at Progent was amazingly focused on getting us restored and was working non-stop to bail us out."

Progent worked together with the customer to rapidly identify and prioritize the mission critical services that needed to be restored in order to restart business functions:

  • Active Directory
  • Electronic Messaging
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes penetration response best practices by stopping the spread and removing active viruses. Progent then began the task of recovering Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Exchange messaging will not work without Windows AD, and the businessesí MRP system used Microsoft SQL, which depends on Active Directory for security authorization to the database.

Within two days, Progent was able to recover Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery of mission critical applications. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Folder Files) on staff desktop computers to recover mail information. A not too old offline backup of the customerís financials/MRP software made it possible to recover these required applications back available to users. Although major work was left to recover fully from the Ryuk damage, critical services were recovered rapidly:


"For the most part, the manufacturing operation showed little impact and we produced all customer deliverables."

Throughout the next month important milestones in the restoration process were completed through tight cooperation between Progent consultants and the customer:

  • In-house web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were completely operational.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the user desktops were being used by staff.

"A lot of what went on in the early hours is nearly entirely a blur for me, but my management will not soon forget the commitment all of you put in to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A likely enterprise-killing disaster was evaded by top-tier professionals, a wide spectrum of IT skills, and close collaboration. Although in hindsight the ransomware attack described here could have been stopped with advanced cyber security technology and security best practices, user and IT administrator training, and well thought out incident response procedures for data backup and applying software patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for allowing me to get some sleep after we made it through the first week. All of you did an amazing job, and if any of your guys is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Eugene a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services include modern machine learning capability to detect new strains of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily get by traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including blocking, identification, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you prove compliance with government and industry information security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of vital data, applications and virtual machines that have become lost or corrupted as a result of hardware failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to deliver web-based management and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of analysis for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding appliances that require critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT management personnel and your Progent engineering consultant so that all looming problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can eliminate as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about ProSight IT Asset Management service.
For Eugene 24-Hour Crypto Cleanup Services, call Progent at 800-462-8800 or go to Contact Progent.