Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an existential threat for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus additional unnamed viruses, not only encrypt on-line files but also infect any available system backup. Files synched to the cloud can also be ransomed. In a poorly architected data protection solution, this can render automatic restore operations useless and effectively knocks the entire system back to zero.

Getting back online applications and data following a crypto-ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and remove the virus and to resume business-critical activity. Because crypto-ransomware takes time to replicate, penetrations are often launched during weekends and nights, when attacks tend to take more time to discover. This multiplies the difficulty of promptly assembling and organizing a qualified response team.

Progent provides a variety of help services for protecting businesses from ransomware attacks. These include user education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with AI technology to quickly identify and extinguish day-zero cyber attacks. Progent also provides the assistance of seasoned ransomware recovery professionals with the talent and perseverance to reconstruct a compromised environment as soon as possible.

Progent's Ransomware Restoration Services
Following a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decipher any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the vital elements of your Information Technology environment. Absent access to complete data backups, this requires a broad range of skills, top notch team management, and the willingness to work continuously until the task is completed.

For twenty years, Progent has made available professional Information Technology services for companies in Alpharetta and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the ability to knowledgably ascertain necessary systems and integrate the surviving pieces of your Information Technology system following a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts has powerful project management systems to orchestrate the complex restoration process. Progent understands the importance of working rapidly and in concert with a customerís management and IT resources to assign priority to tasks and to put critical systems back on-line as soon as possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A client sought out Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored criminal gangs, suspected of using algorithms leaked from Americaís NSA organization. Ryuk goes after specific companies with limited tolerance for operational disruption and is one of the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has around 500 employees. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end reached out to Progent.


"I canít say enough about the support Progent gave us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the criminal gangs except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail and critical servers back into operation in less than five days was incredible. Each consultant I spoke to or e-mailed at Progent was absolutely committed on getting our company operational and was working 24 by 7 to bail us out."

Progent worked with the customer to rapidly get our arms around and prioritize the mission critical applications that had to be recovered in order to restart company operations:

  • Microsoft Active Directory
  • Electronic Messaging
  • Financials/MRP
To get going, Progent adhered to ransomware incident response best practices by halting the spread and removing active viruses. Progent then began the process of recovering Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Windows AD, and the customerís financials and MRP software leveraged Microsoft SQL Server, which requires Windows AD for authentication to the databases.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery on the most important applications. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Offline Folder Files) on staff desktop computers to recover mail messages. A recent off-line backup of the client's accounting/MRP software made it possible to restore these required programs back online. Although significant work was left to recover fully from the Ryuk virus, critical services were recovered rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer sales."

During the next couple of weeks key milestones in the restoration process were completed in close cooperation between Progent engineers and the customer:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory functions were fully operational.
  • A new Palo Alto 850 firewall was brought on-line.
  • Ninety percent of the user workstations were back into operation.

"A huge amount of what happened those first few days is mostly a haze for me, but my management will not soon forget the care all of you accomplished to help get our company back. Iíve been working with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This event was no exception but maybe more Herculean."

Conclusion
A probable business catastrophe was averted due to results-oriented experts, a broad range of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware attack detailed here should have been identified and disabled with modern security technology solutions and security best practices, staff training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get some sleep after we got over the initial fire. All of you did an amazing job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Alpharetta a variety of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to detect new strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to automate the entire threat progression including protection, detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry information security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also assist you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost and fully managed service for secure backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates your backup processes and allows rapid restoration of critical data, applications and VMs that have become unavailable or corrupted as a result of component failures, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to deliver web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard integrates a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and debug their networking appliances such as routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that need important updates, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate up to half of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Alpharetta 24/7/365 CryptoLocker Recovery Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.