Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that presents an existential danger for businesses of all sizes unprepared for an attack. Versions of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to inflict havoc. More recent strains of ransomware like Ryuk and Hermes, along with additional unnamed newcomers, not only encrypt online information but also infect many configured system protection. Files synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, it can make automatic recovery useless and effectively sets the network back to square one.

Getting back on-line applications and information following a ransomware intrusion becomes a sprint against time as the targeted organization tries its best to stop the spread and cleanup the ransomware and to restore mission-critical activity. Since ransomware needs time to move laterally, attacks are frequently launched during nights and weekends, when penetrations typically take more time to identify. This multiplies the difficulty of quickly assembling and coordinating a qualified mitigation team.

Progent has an assortment of help services for protecting organizations from ransomware attacks. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with AI technology to rapidly detect and disable day-zero cyber threats. Progent in addition offers the assistance of expert ransomware recovery professionals with the skills and commitment to re-deploy a breached network as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to decrypt all your data. Kaspersky ascertained that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the essential elements of your Information Technology environment. Without access to essential information backups, this requires a broad range of IT skills, top notch project management, and the willingness to work continuously until the recovery project is over.

For twenty years, Progent has provided expert IT services for businesses in Alexandria and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded top certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably understand necessary systems and integrate the surviving pieces of your network environment after a crypto-ransomware event and configure them into an operational system.

Progent's security team of experts utilizes powerful project management systems to orchestrate the complex restoration process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT staff to prioritize tasks and to get the most important applications back on line as soon as humanly possible.

Case Study: A Successful Ransomware Intrusion Restoration
A business engaged Progent after their network was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk goes after specific companies with little room for disruption and is among the most profitable versions of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately engaged Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most fearful period of (our) businesses survival. We would have paid the cybercriminals except for the confidence the Progent experts provided us. The fact that you could get our messaging and important applications back into operation sooner than 1 week was something I thought impossible. Each person I got help from or messaged at Progent was amazingly focused on getting us back online and was working all day and night to bail us out."

Progent worked hand in hand the client to rapidly understand and prioritize the key systems that needed to be recovered in order to continue company operations:

  • Active Directory
  • Exchange Server
  • Financials/MRP
To get going, Progent followed Anti-virus penetration mitigation industry best practices by halting the spread and removing active viruses. Progent then began the work of bringing back online Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the customerís accounting and MRP software utilized Microsoft SQL, which requires Active Directory services for access to the databases.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then charged ahead with setup and storage recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Off-Line Folder Files) on user workstations to recover mail information. A not too old offline backup of the customerís accounting/MRP systems made them able to return these essential services back online. Although a lot of work still had to be done to recover completely from the Ryuk event, core services were recovered rapidly:


"For the most part, the production manufacturing operation survived unscathed and we made all customer sales."

Over the following few weeks key milestones in the recovery project were made through tight collaboration between Progent consultants and the client:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were completely restored.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the user desktops were back into operation.

"A lot of what was accomplished those first few days is nearly entirely a blur for me, but we will not forget the commitment each of the team put in to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered. This time was a Herculean accomplishment."

Conclusion
A probable business-killing disaster was avoided with dedicated professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware virus penetration described here would have been identified and blocked with current cyber security technology and recognized best practices, staff education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get some sleep after we made it past the initial fire. Everyone did an impressive job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Alexandria a variety of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services utilize modern machine learning technology to detect new strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-based AV tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the entire threat lifecycle including blocking, identification, mitigation, remediation, and forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. For a low monthly cost, ProSight DPS automates and monitors your backup processes and allows fast recovery of vital data, applications and VMs that have become unavailable or damaged as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced expertise to configure ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, enhance and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, locating appliances that require critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT staff and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the system is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For Alexandria 24x7x365 Ransomware Remediation Help, reach out to Progent at 800-993-9400 or go to Contact Progent.