Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that poses an existential danger for businesses poorly prepared for an assault. Different versions of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to cause damage. Recent strains of crypto-ransomware such as Ryuk and Hermes, plus more as yet unnamed viruses, not only encrypt on-line files but also infect many accessible system protection mechanisms. Information synchronized to cloud environments can also be rendered useless. In a poorly architected environment, this can make automatic restoration useless and basically sets the network back to square one.

Restoring services and data after a ransomware event becomes a race against the clock as the targeted business struggles to stop the spread and clear the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware requires time to replicate, penetrations are frequently launched on weekends and holidays, when successful attacks tend to take longer to identify. This compounds the difficulty of rapidly mobilizing and coordinating a knowledgeable response team.

Progent has a variety of help services for protecting enterprises from ransomware penetrations. Among these are team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with machine learning technology to rapidly identify and extinguish day-zero threats. Progent also provides the assistance of veteran ransomware recovery professionals with the track record and commitment to reconstruct a breached system as soon as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the keys to decipher all your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the critical elements of your IT environment. Without access to essential data backups, this calls for a wide range of IT skills, well-coordinated project management, and the ability to work continuously until the job is completed.

For decades, Progent has made available certified expert IT services for companies in Fort Myers and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably understand important systems and integrate the surviving pieces of your Information Technology system after a crypto-ransomware event and assemble them into an operational network.

Progent's recovery team of experts has best of breed project management applications to orchestrate the complex recovery process. Progent understands the importance of working rapidly and together with a customerís management and IT resources to assign priority to tasks and to put essential services back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Restoration
A customer contacted Progent after their network was crashed by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly adopting approaches leaked from the U.S. NSA organization. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative versions of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago and has about 500 staff members. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end reached out to Progent.


"I cannot speak enough about the help Progent gave us throughout the most fearful time of (our) companyís survival. We would have paid the cybercriminals if it wasnít for the confidence the Progent team afforded us. That you could get our e-mail system and essential servers back into operation quicker than one week was earth shattering. Each expert I spoke to or e-mailed at Progent was urgently focused on getting our company operational and was working at all hours to bail us out."

Progent worked with the client to quickly assess and prioritize the critical applications that needed to be recovered to make it possible to resume business functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event response best practices by isolating and disinfecting systems. Progent then initiated the task of bringing back online Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the client's financials and MRP system used SQL Server, which requires Active Directory services for security authorization to the data.

In less than 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on needed servers. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops to recover email data. A recent offline backup of the businesses financials/ERP systems made it possible to return these required applications back available to users. Although significant work was left to recover totally from the Ryuk event, the most important systems were returned to operations quickly:


"For the most part, the production operation survived unscathed and we did not miss any customer orders."

Throughout the following couple of weeks key milestones in the recovery process were completed through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Ninety percent of the user desktops and notebooks were back into operation.

"Much of what transpired during the initial response is nearly entirely a blur for me, but my team will not soon forget the commitment each of the team accomplished to help get our company back. I have been working together with Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A possible enterprise-killing catastrophe was averted with top-tier professionals, a wide spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware incident described here could have been blocked with current security technology solutions and recognized best practices, user education, and appropriate security procedures for backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we got through the most critical parts. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Fort Myers a range of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation machine learning capability to uncover new variants of ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to manage the complete threat progression including blocking, identification, mitigation, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also assist you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates your backup activities and enables rapid restoration of vital files, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can deliver world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to deliver centralized management and world-class protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and debug their connectivity appliances like routers, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding devices that need important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to keep your IT system operating at peak levels by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so all looming issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate up to 50% of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Fort Myers Crypto-Ransomware Repair Consultants, contact Progent at 800-993-9400 or go to Contact Progent.