Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that presents an existential danger for businesses of all sizes unprepared for an attack. Multiple generations of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict destruction. The latest variants of ransomware like Ryuk and Hermes, plus daily unnamed viruses, not only do encryption of online information but also infect all accessible system protection mechanisms. Information replicated to the cloud can also be rendered useless. In a vulnerable environment, this can make automated restore operations impossible and effectively knocks the entire system back to zero.

Getting back programs and information following a ransomware event becomes a race against time as the victim tries its best to contain and eradicate the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are often launched on weekends, when successful penetrations are likely to take longer to identify. This multiplies the difficulty of quickly marshalling and orchestrating a capable response team.

Progent has an assortment of support services for securing enterprises from crypto-ransomware attacks. These include staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security solutions with machine learning technology to automatically discover and quarantine day-zero cyber threats. Progent in addition offers the assistance of veteran ransomware recovery professionals with the skills and perseverance to rebuild a breached network as quickly as possible.

Progent's Ransomware Recovery Services
Following a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the keys to unencrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the critical elements of your IT environment. Without the availability of complete data backups, this requires a broad range of skills, well-coordinated team management, and the willingness to work continuously until the task is finished.

For twenty years, Progent has offered expert IT services for businesses in Miami and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to quickly identify important systems and re-organize the remaining pieces of your Information Technology system following a ransomware attack and rebuild them into a functioning system.

Progent's recovery team of experts uses best of breed project management tools to coordinate the complicated recovery process. Progent understands the urgency of working rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get critical services back on line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Virus Recovery
A client contacted Progent after their company was attacked by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state cybercriminals, suspected of using approaches leaked from Americaís NSA organization. Ryuk targets specific companies with limited tolerance for operational disruption and is among the most lucrative versions of ransomware viruses. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has around 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's backups had been directly accessible at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end brought in Progent.


"I canít tell you enough in regards to the care Progent provided us throughout the most fearful time of (our) companyís survival. We would have paid the criminal gangs if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and important servers back sooner than one week was beyond my wildest dreams. Each person I got help from or texted at Progent was totally committed on getting my company operational and was working 24 by 7 to bail us out."

Progent worked together with the customer to quickly get our arms around and assign priority to the essential applications that had to be recovered to make it possible to restart departmental operations:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware incident mitigation best practices by halting the spread and clearing up compromised systems. Progent then initiated the task of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not work without AD, and the customerís financials and MRP applications utilized Microsoft SQL Server, which requires Active Directory services for authentication to the databases.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then completed setup and hard drive recovery on key systems. All Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to locate intact OST files (Outlook Email Offline Data Files) on team workstations and laptops to recover mail information. A recent offline backup of the client's financials/ERP systems made it possible to return these vital services back servicing users. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, the most important systems were recovered rapidly:


"For the most part, the assembly line operation did not miss a beat and we did not miss any customer shipments."

Over the next couple of weeks critical milestones in the restoration project were accomplished through close collaboration between Progent engineers and the client:

  • In-house web sites were restored without losing any information.
  • The MailStore Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully restored.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the user desktops were operational.

"A huge amount of what transpired during the initial response is mostly a haze for me, but our team will not soon forget the countless hours each of the team accomplished to help get our company back. I have been working with Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A potential business disaster was dodged with results-oriented experts, a wide range of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus attack described here would have been identified and prevented with current cyber security solutions and best practices, user and IT administrator training, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), Iím grateful for allowing me to get rested after we got past the initial fire. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Miami a variety of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include modern AI technology to uncover new variants of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you prove compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and enables fast restoration of critical files, applications and VMs that have become lost or corrupted as a result of hardware failures, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to provide centralized control and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from making it to your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex management processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding devices that require important software patches, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent consultant so that any looming issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Miami 24x7x365 Crypto Repair Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.