Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that represents an enterprise-level danger for businesses unprepared for an attack. Versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause havoc. Newer variants of crypto-ransomware like Ryuk and Hermes, along with additional unnamed newcomers, not only do encryption of on-line data files but also infiltrate any available system protection. Data replicated to cloud environments can also be ransomed. In a poorly architected environment, this can render automated restoration impossible and basically knocks the entire system back to square one.

Getting back on-line services and data following a crypto-ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain the damage and clear the ransomware and to resume business-critical operations. Because crypto-ransomware requires time to replicate, attacks are usually launched during weekends and nights, when penetrations tend to take more time to identify. This multiplies the difficulty of quickly mobilizing and coordinating a qualified response team.

Progent offers a range of support services for securing organizations from crypto-ransomware penetrations. Among these are user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with AI capabilities to rapidly detect and quarantine day-zero threats. Progent in addition can provide the services of seasoned crypto-ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as rapidly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed codes to decrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the essential parts of your IT environment. Without the availability of full system backups, this calls for a wide range of skills, professional team management, and the willingness to work non-stop until the job is completed.

For two decades, Progent has offered expert Information Technology services for companies in Hartford and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience affords Progent the skills to quickly ascertain important systems and consolidate the surviving parts of your IT environment after a ransomware penetration and rebuild them into a functioning network.

Progent's recovery team of experts utilizes powerful project management systems to orchestrate the complex recovery process. Progent understands the urgency of working swiftly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get critical applications back on-line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business escalated to Progent after their network was crashed by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk seeks specific businesses with limited ability to sustain disruption and is among the most lucrative examples of crypto-ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago with about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately called Progent.


"I canít say enough in regards to the support Progent gave us throughout the most fearful period of (our) companyís life. We may have had to pay the Hackers except for the confidence the Progent team afforded us. The fact that you could get our messaging and essential servers back online quicker than one week was earth shattering. Every single staff member I worked with or messaged at Progent was amazingly focused on getting us operational and was working all day and night to bail us out."

Progent worked together with the customer to rapidly identify and assign priority to the critical systems that had to be recovered in order to resume business functions:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by stopping the spread and disinfecting systems. Progent then began the work of recovering Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not work without Windows AD, and the customerís accounting and MRP applications leveraged Microsoft SQL Server, which requires Windows AD for access to the databases.

Within 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then completed reinstallations and hard drive recovery on mission critical servers. All Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Email Offline Data Files) on staff PCs in order to recover mail information. A recent off-line backup of the client's financials/MRP software made them able to recover these essential programs back on-line. Although a lot of work still had to be done to recover completely from the Ryuk attack, critical services were restored quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer orders."

During the next month important milestones in the recovery process were accomplished in tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were fully recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the user PCs were functioning as before the incident.

"Much of what happened that first week is mostly a haze for me, but my management will not forget the urgency all of you put in to give us our company back. I have been working together with Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This time was a stunning achievement."

Conclusion
A probable business catastrophe was evaded through the efforts of dedicated experts, a broad spectrum of knowledge, and close collaboration. Although in retrospect the crypto-ransomware virus penetration described here could have been shut down with advanced cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out security procedures for data protection and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for allowing me to get some sleep after we got over the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Hartford a variety of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services include modern machine learning technology to uncover zero-day variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based AV products. ProSight ASM safeguards local and cloud resources and offers a single platform to address the entire malware attack lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost and fully managed solution for secure backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables rapid restoration of vital data, apps and virtual machines that have become lost or corrupted due to component breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver centralized control and world-class security for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, monitor, enhance and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating time-consuming management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that need critical updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to keep your network operating at peak levels by tracking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT staff and your assigned Progent consultant so that any potential issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Hartford Crypto Remediation Services, reach out to Progent at 800-993-9400 or go to Contact Progent.