Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that poses an extinction-level threat for businesses vulnerable to an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict destruction. Newer strains of ransomware like Ryuk and Hermes, along with daily unnamed newcomers, not only do encryption of on-line critical data but also infiltrate many configured system protection. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, it can render automated restoration impossible and effectively sets the datacenter back to square one.

Getting back services and information after a crypto-ransomware outage becomes a race against the clock as the victim tries its best to stop lateral movement and cleanup the virus and to resume mission-critical activity. Because crypto-ransomware requires time to spread, attacks are often launched during weekends and nights, when penetrations are likely to take more time to discover. This multiplies the difficulty of rapidly marshalling and organizing a capable response team.

Progent makes available an assortment of support services for securing businesses from crypto-ransomware events. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with AI capabilities to automatically identify and quarantine zero-day cyber attacks. Progent in addition offers the assistance of veteran ransomware recovery consultants with the talent and perseverance to restore a breached network as quickly as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to decipher any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the essential parts of your IT environment. Without the availability of complete data backups, this calls for a broad range of skill sets, well-coordinated project management, and the capability to work 24x7 until the job is over.

For two decades, Progent has provided expert IT services for companies in Las Vegas and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise gives Progent the capability to knowledgably identify important systems and integrate the remaining components of your network environment after a crypto-ransomware event and rebuild them into an operational system.

Progent's ransomware team uses best of breed project management applications to coordinate the sophisticated recovery process. Progent knows the urgency of acting rapidly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to put critical applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A customer contacted Progent after their network system was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is one of the most lucrative instances of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client considered paying the ransom demand (more than $200,000) and praying for the best, but in the end engaged Progent.


"I canít thank you enough about the support Progent gave us during the most fearful period of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent experts provided us. The fact that you could get our e-mail system and critical applications back on-line faster than a week was earth shattering. Every single consultant I got help from or communicated with at Progent was amazingly focused on getting us back on-line and was working at all hours on our behalf."

Progent worked with the client to rapidly understand and prioritize the most important services that had to be recovered to make it possible to resume business operations:

  • Active Directory
  • Electronic Messaging
  • Financials/MRP
To start, Progent followed Anti-virus event response best practices by stopping lateral movement and cleaning up infected systems. Progent then started the work of restoring Microsoft AD, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without AD, and the businessesí MRP system leveraged Microsoft SQL, which needs Windows AD for security authorization to the information.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and storage recovery on critical applications. All Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find intact OST files (Outlook Email Offline Folder Files) on user workstations and laptops to recover email information. A not too old off-line backup of the customerís accounting software made them able to return these essential programs back available to users. Although significant work was left to recover completely from the Ryuk damage, essential systems were recovered quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer orders."

During the next few weeks key milestones in the restoration project were made through tight cooperation between Progent engineers and the client:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Exchange Server with over four million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control functions were 100% recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the desktop computers were operational.

"A huge amount of what occurred in the initial days is nearly entirely a fog for me, but my management will not forget the countless hours all of the team put in to give us our business back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A potential business-ending catastrophe was avoided through the efforts of dedicated professionals, a broad range of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware incident described here would have been prevented with current cyber security systems and recognized best practices, team training, and properly executed security procedures for data backup and applying software patches, the reality is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get rested after we got through the first week. All of you did an incredible job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Las Vegas a portfolio of online monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate modern machine learning capability to uncover zero-day strains of crypto-ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to automate the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through leading-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your company's unique requirements and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a fixed monthly price, ProSight DPS automates your backup activities and enables fast restoration of vital files, applications and VMs that have become unavailable or damaged as a result of component breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can provide advanced expertise to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to provide centralized management and world-class security for your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and debug their connectivity appliances such as routers, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, locating appliances that need critical updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent consultant so that all looming issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate as much as half of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Las Vegas 24/7 Crypto Recovery Help, contact Progent at 800-993-9400 or go to Contact Progent.