Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that presents an extinction-level threat for businesses unprepared for an attack. Different versions of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause destruction. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, plus more as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate all accessible system backups. Data replicated to cloud environments can also be encrypted. In a vulnerable data protection solution, this can make automated restoration hopeless and effectively knocks the entire system back to square one.

Getting back applications and information after a ransomware intrusion becomes a sprint against time as the targeted organization struggles to contain and eradicate the virus and to restore mission-critical operations. Since ransomware requires time to move laterally, attacks are frequently sprung on weekends, when attacks in many cases take more time to uncover. This multiplies the difficulty of rapidly assembling and coordinating a capable response team.

Progent has a range of services for securing enterprises from crypto-ransomware penetrations. Among these are staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence technology to automatically identify and extinguish zero-day cyber attacks. Progent also provides the services of veteran ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed keys to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the vital parts of your IT environment. Absent access to essential data backups, this requires a broad range of skills, professional team management, and the willingness to work non-stop until the task is completed.

For two decades, Progent has provided professional IT services for companies in Des Moines and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the ability to rapidly ascertain critical systems and consolidate the surviving parts of your IT system following a crypto-ransomware penetration and assemble them into a functioning network.

Progent's security team of experts deploys state-of-the-art project management systems to coordinate the complicated restoration process. Progent knows the urgency of working swiftly and in concert with a customerís management and IT resources to prioritize tasks and to put the most important services back on line as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Response
A customer escalated to Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, suspected of adopting techniques leaked from Americaís National Security Agency. Ryuk attacks specific companies with little tolerance for disruption and is one of the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has around 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing processes. The majority of the client's backups had been online at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but in the end called Progent.


"I cannot thank you enough about the support Progent provided us during the most fearful period of (our) businesses survival. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and important applications back into operation quicker than 1 week was beyond my wildest dreams. Each person I talked with or communicated with at Progent was absolutely committed on getting our company operational and was working breakneck pace to bail us out."

Progent worked with the customer to quickly get our arms around and prioritize the most important services that needed to be addressed to make it possible to continue departmental functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent followed Anti-virus event mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the work of recovering Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the client's financials and MRP software leveraged SQL Server, which depends on Active Directory services for authentication to the information.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then performed setup and storage recovery on essential servers. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on team desktop computers in order to recover email information. A recent off-line backup of the customerís accounting/MRP systems made them able to recover these vital programs back available to users. Although major work still had to be done to recover completely from the Ryuk virus, the most important systems were restored quickly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer sales."

During the next few weeks key milestones in the restoration project were made through tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Server exceeding 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100% recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the user desktops and notebooks were operational.

"A huge amount of what was accomplished during the initial response is nearly entirely a blur for me, but we will not soon forget the commitment each of your team accomplished to help get our business back. Iíve utilized Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A likely business-killing disaster was averted with hard-working experts, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus penetration detailed here should have been identified and stopped with advanced security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well thought out incident response procedures for information protection and applying software patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we got past the most critical parts. All of you did an incredible job, and if anyone is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Des Moines a range of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services include modern artificial intelligence technology to detect new variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to automate the complete threat lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and enables fast restoration of critical files, applications and VMs that have become unavailable or damaged as a result of component failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver world-class support to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, when needed, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security companies to deliver centralized management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, reconfigure and debug their networking hardware like routers, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that require critical updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT staff and your Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 Des Moines Crypto Repair Consultants, call Progent at 800-993-9400 or go to Contact Progent.