Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that poses an extinction-level danger for organizations vulnerable to an assault. Versions of ransomware such as CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and still inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with daily as yet unnamed viruses, not only do encryption of online information but also infiltrate all available system protection mechanisms. Files synchronized to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make automatic restoration hopeless and basically knocks the network back to square one.

Getting back services and data after a ransomware event becomes a race against time as the victim fights to contain and remove the ransomware and to restore business-critical operations. Since ransomware needs time to spread, penetrations are usually launched on weekends, when attacks may take more time to notice. This multiplies the difficulty of promptly marshalling and orchestrating an experienced mitigation team.

Progent offers a range of services for protecting businesses from ransomware events. Among these are staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence technology to rapidly discover and suppress new cyber attacks. Progent in addition provides the services of seasoned ransomware recovery professionals with the track record and commitment to restore a breached system as urgently as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the codes to decipher any or all of your files. Kaspersky estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the mission-critical parts of your IT environment. Without the availability of complete system backups, this requires a broad complement of skills, professional project management, and the willingness to work 24x7 until the job is finished.

For two decades, Progent has made available expert Information Technology services for businesses in Hartford and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise affords Progent the skills to rapidly ascertain necessary systems and re-organize the surviving components of your network system after a ransomware penetration and configure them into an operational network.

Progent's security team utilizes best of breed project management applications to coordinate the complicated recovery process. Progent knows the urgency of working rapidly and together with a customerís management and Information Technology staff to prioritize tasks and to get key applications back online as soon as possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A customer hired Progent after their organization was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state hackers, suspected of using algorithms exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little or no ability to sustain operational disruption and is one of the most profitable incarnations of crypto-ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with around 500 employees. The Ryuk penetration had shut down all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.


"I cannot tell you enough in regards to the help Progent provided us during the most stressful time of (our) companyís existence. We most likely would have paid the Hackers if it wasnít for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and critical applications back online quicker than five days was amazing. Every single expert I interacted with or texted at Progent was totally committed on getting our system up and was working 24 by 7 to bail us out."

Progent worked with the client to quickly determine and prioritize the critical applications that needed to be restored to make it possible to resume company functions:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed AV/Malware Processes incident response industry best practices by stopping the spread and clearing infected systems. Progent then initiated the work of restoring Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí financials and MRP applications used SQL Server, which depends on Windows AD for security authorization to the information.

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then accomplished setup and storage recovery on critical servers. All Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Offline Folder Files) on team desktop computers to recover mail messages. A not too old offline backup of the client's accounting systems made them able to recover these vital services back online for users. Although significant work still had to be done to recover completely from the Ryuk attack, essential systems were restored rapidly:


"For the most part, the assembly line operation showed little impact and we made all customer deliverables."

Over the following few weeks critical milestones in the restoration project were made in close cooperation between Progent engineers and the client:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Exchange Server with over four million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory functions were 100% operational.
  • A new Palo Alto 850 firewall was brought online.
  • 90% of the desktop computers were functioning as before the incident.

"Much of what was accomplished those first few days is mostly a fog for me, but my team will not forget the commitment each of you put in to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A probable business-ending disaster was dodged due to dedicated professionals, a broad array of technical expertise, and close collaboration. Although in retrospect the ransomware virus penetration described here should have been prevented with up-to-date cyber security solutions and best practices, team education, and appropriate security procedures for data backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get some sleep after we got past the first week. Everyone did an impressive effort, and if anyone is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Hartford a variety of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include modern machine learning technology to uncover zero-day strains of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the complete threat lifecycle including blocking, identification, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates your backup activities and allows fast recovery of critical files, applications and virtual machines that have become lost or corrupted as a result of hardware failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to deliver web-based management and world-class security for all your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, optimize and debug their connectivity hardware like switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious management processes, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding appliances that need critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT staff and your Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Hartford 24x7 CryptoLocker Removal Services, reach out to Progent at 800-993-9400 or go to Contact Progent.