Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an assault. Versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict harm. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent as yet unnamed viruses, not only do encryption of on-line data files but also infect most configured system restores and backups. Files synchronized to the cloud can also be encrypted. In a vulnerable environment, this can render any restoration impossible and basically knocks the entire system back to square one.

Getting back programs and information after a ransomware attack becomes a race against the clock as the targeted business struggles to stop the spread and remove the crypto-ransomware and to restore mission-critical activity. Because ransomware requires time to replicate, penetrations are frequently sprung at night, when successful attacks may take longer to uncover. This multiplies the difficulty of promptly marshalling and coordinating an experienced response team.

Progent has a variety of services for securing organizations from ransomware penetrations. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with machine learning capabilities to intelligently detect and disable zero-day cyber attacks. Progent in addition offers the assistance of expert ransomware recovery professionals with the skills and perseverance to rebuild a breached network as soon as possible.

Progent's Ransomware Restoration Help
After a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to decipher any or all of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the key elements of your Information Technology environment. Without access to essential system backups, this calls for a wide range of skill sets, well-coordinated project management, and the ability to work continuously until the job is over.

For decades, Progent has provided expert IT services for businesses in Lincoln and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise gives Progent the ability to knowledgably identify important systems and consolidate the surviving components of your IT environment after a ransomware attack and configure them into a functioning network.

Progent's ransomware team has top notch project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of acting quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get the most important services back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Recovery
A small business engaged Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state criminal gangs, suspected of using strategies leaked from Americaís NSA organization. Ryuk targets specific businesses with little ability to sustain operational disruption and is among the most profitable iterations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end brought in Progent.


"I canít speak enough about the care Progent provided us during the most fearful time of (our) businesses existence. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent group afforded us. The fact that you were able to get our messaging and critical applications back on-line in less than five days was something I thought impossible. Every single expert I spoke to or communicated with at Progent was absolutely committed on getting our company operational and was working at all hours on our behalf."

Progent worked together with the client to quickly identify and prioritize the mission critical applications that needed to be restored to make it possible to resume departmental functions:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent adhered to Anti-virus event response industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the work of restoring Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange messaging will not function without Active Directory, and the client's accounting and MRP applications utilized Microsoft SQL Server, which needs Windows AD for authentication to the information.

In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery of mission critical applications. All Exchange ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Offline Folder Files) on various desktop computers and laptops in order to recover mail information. A recent offline backup of the client's financials/ERP software made them able to recover these essential applications back online for users. Although significant work needed to be completed to recover totally from the Ryuk virus, essential systems were restored quickly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer shipments."

Throughout the next couple of weeks important milestones in the recovery process were made through tight collaboration between Progent engineers and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory modules were 100 percent recovered.
  • A new Palo Alto 850 security appliance was set up.
  • Most of the user desktops and notebooks were functioning as before the incident.

"Much of what was accomplished in the early hours is nearly entirely a haze for me, but we will not forget the care each of your team accomplished to help get our company back. I have been working with Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely business-ending disaster was evaded by hard-working experts, a wide spectrum of knowledge, and tight collaboration. Although in post mortem the ransomware virus incident detailed here would have been identified and disabled with up-to-date cyber security systems and best practices, user and IT administrator education, and appropriate security procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thank you for making it so I could get rested after we got past the first week. Everyone did an impressive effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Lincoln a variety of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to detect new strains of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the entire malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables rapid restoration of critical data, applications and virtual machines that have become unavailable or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to provide centralized management and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of inspection for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, reconfigure and debug their networking hardware like routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating tedious management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that need important updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system operating efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT staff and your assigned Progent engineering consultant so that all potential problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your network documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
For 24/7/365 Lincoln CryptoLocker Removal Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.