Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that presents an existential danger for businesses unprepared for an attack. Different iterations of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict harm. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent unnamed viruses, not only do encryption of on-line critical data but also infect any configured system protection. Data replicated to cloud environments can also be rendered useless. In a vulnerable system, it can make any restoration useless and basically sets the datacenter back to square one.

Retrieving programs and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to contain the damage and cleanup the ransomware and to restore business-critical operations. Since ransomware requires time to replicate, attacks are usually launched on weekends and holidays, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of quickly mobilizing and orchestrating a capable mitigation team.

Progent offers a range of solutions for securing enterprises from crypto-ransomware penetrations. These include user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security gateways with machine learning technology to automatically discover and extinguish new cyber threats. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and commitment to restore a compromised network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not ensure that cyber criminals will respond with the keys to decrypt all your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the key parts of your Information Technology environment. Absent the availability of complete data backups, this calls for a broad range of IT skills, well-coordinated project management, and the capability to work non-stop until the task is over.

For twenty years, Progent has offered expert IT services for companies in Miami and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience gives Progent the ability to rapidly determine necessary systems and consolidate the remaining pieces of your IT environment following a crypto-ransomware event and assemble them into a functioning network.

Progent's ransomware team of experts deploys state-of-the-art project management tools to coordinate the complex restoration process. Progent understands the urgency of working quickly and in unison with a client's management and IT staff to assign priority to tasks and to get key applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Incident Restoration
A client hired Progent after their company was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, possibly adopting approaches exposed from Americaís National Security Agency. Ryuk targets specific organizations with little or no ability to sustain operational disruption and is among the most profitable instances of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area with around 500 workers. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's information backups had been online at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but ultimately brought in Progent.


"I canít speak enough about the support Progent provided us throughout the most stressful time of (our) companyís existence. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team provided us. That you were able to get our e-mail and essential applications back faster than a week was amazing. Each staff member I got help from or communicated with at Progent was totally committed on getting us back online and was working all day and night on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the most important services that had to be addressed to make it possible to resume departmental functions:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then began the steps of rebuilding Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the customerís financials and MRP software used SQL Server, which requires Active Directory services for authentication to the information.

In less than 2 days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then initiated setup and storage recovery on mission critical systems. All Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Off-Line Folder Files) on staff workstations and laptops to recover mail information. A not too old offline backup of the businesses accounting software made them able to restore these required programs back available to users. Although a lot of work was left to recover fully from the Ryuk event, critical services were restored rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer deliverables."

Over the next couple of weeks critical milestones in the recovery project were made through tight collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Server exceeding four million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were completely operational.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the user desktops were functioning as before the incident.

"Much of what went on in the early hours is nearly entirely a fog for me, but I will not soon forget the urgency all of the team put in to help get our business back. Iíve utilized Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This situation was a life saver."

Conclusion
A likely business-killing catastrophe was evaded by top-tier professionals, a wide range of knowledge, and close teamwork. Although in retrospect the ransomware virus incident described here should have been shut down with up-to-date cyber security technology solutions and best practices, team education, and well designed security procedures for information backup and applying software patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get rested after we made it past the first week. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Miami a range of remote monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence technology to detect new strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the complete threat progression including protection, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate attention. Progent's consultants can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates your backup activities and allows rapid restoration of vital data, applications and VMs that have become lost or damaged as a result of hardware failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can deliver world-class support to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to recover your business-critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to provide centralized management and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, optimize and debug their networking appliances such as routers, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding appliances that need critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by checking the health of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management staff and your Progent engineering consultant so that all looming issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save up to 50% of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Miami 24-7 Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.