Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for organizations vulnerable to an assault. Versions of crypto-ransomware like the CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause destruction. More recent strains of ransomware like Ryuk and Hermes, along with additional unnamed viruses, not only do encryption of on-line data but also infiltrate all accessible system protection. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, it can render any recovery impossible and basically knocks the network back to zero.

Restoring programs and data after a crypto-ransomware outage becomes a sprint against time as the targeted business tries its best to contain the damage and eradicate the crypto-ransomware and to restore mission-critical activity. Because ransomware takes time to replicate, attacks are usually sprung on weekends, when successful attacks tend to take longer to notice. This multiplies the difficulty of promptly mobilizing and coordinating a capable mitigation team.

Progent provides a variety of help services for protecting organizations from ransomware events. Among these are team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with machine learning capabilities to quickly discover and quarantine zero-day cyber attacks. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the talent and commitment to rebuild a breached network as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to decrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the essential components of your IT environment. Absent access to complete system backups, this requires a broad complement of skills, top notch project management, and the ability to work continuously until the job is finished.

For twenty years, Progent has offered professional IT services for businesses in Grand Rapids and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the skills to quickly understand critical systems and integrate the remaining parts of your network system after a ransomware penetration and rebuild them into an operational network.

Progent's security group deploys top notch project management systems to orchestrate the complex recovery process. Progent appreciates the importance of working quickly and in unison with a client's management and IT staff to prioritize tasks and to put key applications back on-line as soon as possible.

Customer Case Study: A Successful Ransomware Penetration Restoration
A small business contacted Progent after their company was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored cybercriminals, suspected of using technology exposed from the United States National Security Agency. Ryuk attacks specific companies with little tolerance for operational disruption and is one of the most profitable versions of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago with about 500 workers. The Ryuk penetration had shut down all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately made the decision to use Progent.


"I cannot speak enough about the care Progent provided us during the most critical time of (our) businesses life. We may have had to pay the cyber criminals if not for the confidence the Progent experts provided us. The fact that you could get our e-mail and production applications back on-line quicker than one week was incredible. Every single expert I talked with or texted at Progent was absolutely committed on getting us operational and was working all day and night to bail us out."

Progent worked with the client to quickly identify and assign priority to the mission critical applications that needed to be restored in order to continue business functions:

  • Active Directory
  • Electronic Mail
  • MRP System
To begin, Progent followed AV/Malware Processes incident response best practices by isolating and clearing infected systems. Progent then started the process of bringing back online Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Active Directory, and the customerís financials and MRP software used Microsoft SQL Server, which depends on Windows AD for authentication to the data.

In less than 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery on critical systems. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Off-Line Data Files) on team desktop computers in order to recover email information. A not too old offline backup of the client's financials/MRP systems made it possible to recover these vital programs back on-line. Although significant work remained to recover fully from the Ryuk event, the most important systems were recovered rapidly:


"For the most part, the production operation never missed a beat and we produced all customer orders."

Over the next month critical milestones in the recovery project were achieved in tight cooperation between Progent team members and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Exchange Server with over 4 million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100% operational.
  • A new Palo Alto 850 security appliance was installed.
  • Ninety percent of the user desktops were being used by staff.

"A huge amount of what went on in the initial days is mostly a haze for me, but I will not forget the urgency each and every one of you accomplished to give us our business back. Iíve utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A probable business-ending disaster was evaded through the efforts of dedicated experts, a wide spectrum of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware incident detailed here could have been identified and stopped with modern cyber security technology and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thanks very much for allowing me to get rested after we made it through the initial push. Everyone did an amazing job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Grand Rapids a range of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate modern AI capability to detect new variants of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely get by legacy signature-based anti-virus tools. ProSight ASM protects local and cloud resources and offers a single platform to manage the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical files, apps and virtual machines that have become unavailable or corrupted due to component failures, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can provide world-class expertise to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based control and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further layer of analysis for inbound email. For outbound email, the local security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, track, optimize and debug their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating appliances that require critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system running efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT staff and your assigned Progent consultant so that any potential issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can save up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Grand Rapids Crypto Removal Consultants, call Progent at 800-993-9400 or go to Contact Progent.