Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Different iterations of crypto-ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause damage. More recent versions of ransomware such as Ryuk and Hermes, as well as daily as yet unnamed newcomers, not only encrypt on-line data but also infect most accessible system backups. Information replicated to the cloud can also be ransomed. In a poorly designed environment, this can make any restoration useless and effectively knocks the network back to square one.

Getting back on-line services and data following a crypto-ransomware outage becomes a race against time as the targeted organization struggles to stop the spread and cleanup the virus and to resume enterprise-critical operations. Due to the fact that crypto-ransomware needs time to spread, attacks are frequently launched on weekends and holidays, when attacks may take more time to discover. This multiplies the difficulty of promptly assembling and organizing a capable mitigation team.

Progent provides an assortment of help services for protecting enterprises from ransomware penetrations. These include user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with AI technology to quickly detect and quarantine new cyber attacks. Progent in addition offers the assistance of experienced crypto-ransomware recovery consultants with the skills and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed codes to unencrypt all your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to setup from scratch the critical components of your IT environment. Without access to essential information backups, this requires a wide complement of IT skills, top notch project management, and the capability to work 24x7 until the job is done.

For two decades, Progent has offered expert IT services for companies in Des Moines and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise gives Progent the ability to efficiently identify necessary systems and re-organize the surviving components of your Information Technology system following a ransomware attack and rebuild them into an operational network.

Progent's ransomware group utilizes powerful project management systems to coordinate the complicated recovery process. Progent understands the urgency of working rapidly and together with a customerís management and Information Technology staff to assign priority to tasks and to get the most important services back on line as fast as possible.

Client Case Study: A Successful Ransomware Virus Response
A customer sought out Progent after their company was attacked by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, suspected of using technology leaked from the United States NSA organization. Ryuk targets specific businesses with little room for disruption and is one of the most lucrative instances of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with around 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (in excess of $200K) and praying for good luck, but in the end utilized Progent.


"I cannot tell you enough in regards to the expertise Progent provided us throughout the most stressful period of (our) companyís life. We may have had to pay the hackers behind this attack if not for the confidence the Progent experts gave us. That you could get our e-mail and production servers back quicker than seven days was amazing. Each consultant I talked with or messaged at Progent was absolutely committed on getting us restored and was working day and night to bail us out."

Progent worked with the customer to quickly determine and prioritize the essential services that needed to be recovered in order to resume company operations:

  • Active Directory
  • Electronic Mail
  • MRP System
To start, Progent adhered to Anti-virus event response industry best practices by stopping the spread and disinfecting systems. Progent then began the process of restoring Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the customerís MRP system leveraged Microsoft SQL, which needs Active Directory services for security authorization to the databases.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery on the most important systems. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Data Files) on user desktop computers in order to recover mail messages. A recent offline backup of the customerís accounting/ERP systems made it possible to restore these essential programs back on-line. Although significant work was left to recover totally from the Ryuk damage, the most important services were recovered rapidly:


"For the most part, the production manufacturing operation was never shut down and we did not miss any customer deliverables."

Over the following month critical milestones in the recovery process were accomplished in close cooperation between Progent team members and the customer:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Exchange Server exceeding four million historical messages was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were fully recovered.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Most of the user PCs were functioning as before the incident.

"A lot of what went on during the initial response is nearly entirely a haze for me, but our team will not forget the commitment each of you put in to give us our company back. Iíve been working together with Progent for at least 10 years, maybe more, and every time Progent has come through and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable company-ending disaster was avoided through the efforts of dedicated professionals, a broad range of subject matter expertise, and tight teamwork. Although in retrospect the crypto-ransomware penetration described here could have been identified and prevented with current cyber security systems and security best practices, user education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for making it so I could get rested after we made it past the first week. Everyone did an impressive job, and if anyone is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Des Moines a variety of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence capability to detect zero-day strains of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to address the entire malware attack progression including filtering, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical data, applications and virtual machines that have become lost or damaged as a result of hardware failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can help you to recover your business-critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security vendors to deliver web-based control and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and debug their networking appliances such as routers and switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating complex management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, locating appliances that need important software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT personnel and your Progent consultant so any potential issues can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Des Moines 24x7 Crypto-Ransomware Recovery Experts, contact Progent at 800-993-9400 or go to Contact Progent.