Crypto-Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes vulnerable to an assault. Versions of crypto-ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still inflict damage. The latest versions of ransomware such as Ryuk and Hermes, along with daily unnamed viruses, not only encrypt online critical data but also infiltrate any configured system protection mechanisms. Information synchronized to the cloud can also be corrupted. In a vulnerable environment, this can make automatic recovery hopeless and basically knocks the datacenter back to zero.

Recovering services and information after a ransomware attack becomes a sprint against the clock as the victim struggles to stop lateral movement and cleanup the crypto-ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to spread, penetrations are often sprung during nights and weekends, when successful attacks may take more time to identify. This multiplies the difficulty of promptly assembling and organizing a knowledgeable response team.

Progent makes available an assortment of solutions for securing businesses from ransomware events. These include user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with AI technology to rapidly identify and suppress zero-day cyber attacks. Progent in addition offers the assistance of seasoned ransomware recovery consultants with the talent and commitment to restore a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to decipher all your data. Kaspersky determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the mission-critical parts of your Information Technology environment. Without the availability of complete system backups, this requires a wide range of skills, professional project management, and the ability to work 24x7 until the task is over.

For decades, Progent has provided professional Information Technology services for companies in Fort Worth and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise gives Progent the capability to rapidly identify necessary systems and integrate the surviving components of your network system following a crypto-ransomware event and configure them into a functioning system.

Progent's recovery team of experts utilizes top notch project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of working swiftly and in concert with a customerís management and Information Technology team members to prioritize tasks and to put essential systems back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Virus Recovery
A small business engaged Progent after their organization was taken over by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, possibly adopting technology exposed from Americaís National Security Agency. Ryuk targets specific companies with little or no tolerance for operational disruption and is one of the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk event had frozen all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom (in excess of $200,000) and hoping for good luck, but in the end utilized Progent.


"I cannot tell you enough in regards to the care Progent gave us throughout the most fearful period of (our) businesses survival. We may have had to pay the Hackers except for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and important applications back online in less than 1 week was earth shattering. Each person I talked with or texted at Progent was amazingly focused on getting us restored and was working breakneck pace to bail us out."

Progent worked with the client to quickly determine and assign priority to the essential services that had to be addressed in order to restart business operations:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To start, Progent adhered to Anti-virus incident response best practices by stopping the spread and cleaning up infected systems. Progent then initiated the steps of bringing back online Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Windows AD, and the client's financials and MRP applications utilized Microsoft SQL, which requires Windows AD for access to the data.

In less than 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then completed rebuilding and hard drive recovery of needed servers. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Email Offline Data Files) on team desktop computers and laptops in order to recover mail messages. A not too old offline backup of the client's manufacturing software made it possible to return these required programs back online. Although a large amount of work was left to recover fully from the Ryuk attack, critical services were recovered rapidly:


"For the most part, the assembly line operation never missed a beat and we made all customer deliverables."

During the following few weeks key milestones in the recovery project were achieved in tight cooperation between Progent team members and the customer:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Exchange Server containing more than four million archived messages was spun up and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the desktop computers were back into operation.

"A huge amount of what happened that first week is mostly a blur for me, but my team will not forget the commitment all of you accomplished to help get our company back. I have utilized Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A likely business catastrophe was dodged with dedicated experts, a wide range of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware virus incident described here would have been shut down with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get rested after we got over the first week. All of you did an amazing effort, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Fort Worth a portfolio of online monitoring and security assessment services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning technology to uncover zero-day strains of crypto-ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-based AV products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you demonstrate compliance with legal and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help you to install and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates and monitors your backup activities and allows fast recovery of vital files, apps and virtual machines that have become lost or damaged as a result of component breakdowns, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to configure ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to deliver centralized control and comprehensive protection for your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, optimize and troubleshoot their networking appliances like switches, firewalls, and access points plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that need critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT personnel and your Progent engineering consultant so that all potential issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Fort Worth 24-Hour Ransomware Repair Services, call Progent at 800-993-9400 or go to Contact Progent.