Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that presents an existential danger for organizations poorly prepared for an attack. Different iterations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause harm. Modern versions of ransomware such as Ryuk and Hermes, as well as daily as yet unnamed viruses, not only encrypt online data but also infiltrate all accessible system restores and backups. Files synchronized to the cloud can also be encrypted. In a poorly architected system, this can render any recovery hopeless and effectively knocks the datacenter back to square one.

Getting back on-line applications and data after a crypto-ransomware intrusion becomes a sprint against time as the targeted business fights to stop the spread and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are often sprung during weekends and nights, when successful attacks may take more time to discover. This multiplies the difficulty of rapidly marshalling and organizing a knowledgeable mitigation team.

Progent provides a variety of support services for protecting organizations from ransomware attacks. These include team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security gateways with artificial intelligence capabilities to automatically discover and extinguish day-zero cyber threats. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and perseverance to reconstruct a compromised system as rapidly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the needed keys to decipher any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the vital parts of your Information Technology environment. Without the availability of full information backups, this requires a wide complement of skill sets, top notch team management, and the ability to work 24x7 until the recovery project is over.

For two decades, Progent has offered professional IT services for businesses in Nashville and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience gives Progent the capability to rapidly ascertain critical systems and consolidate the remaining pieces of your IT environment following a crypto-ransomware event and assemble them into a functioning network.

Progent's ransomware team of experts utilizes top notch project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of acting quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get the most important services back on line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Response
A client contacted Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, suspected of using technology exposed from Americaís NSA organization. Ryuk attacks specific companies with limited ability to sustain disruption and is one of the most lucrative examples of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago and has about 500 employees. The Ryuk event had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I canít speak enough in regards to the care Progent gave us during the most fearful time of (our) companyís life. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our e-mail and key servers back into operation quicker than one week was incredible. Each consultant I talked with or texted at Progent was hell bent on getting us working again and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly identify and assign priority to the critical applications that had to be recovered in order to continue departmental functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting/MRP
To begin, Progent followed ransomware incident response best practices by halting lateral movement and performing virus removal steps. Progent then began the task of rebuilding Active Directory, the core of enterprise systems built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's MRP system leveraged Microsoft SQL Server, which depends on Windows AD for access to the information.

Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated rebuilding and storage recovery on essential servers. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Data Files) on staff workstations in order to recover email data. A not too old offline backup of the client's financials/MRP software made them able to restore these vital applications back online. Although a large amount of work still had to be done to recover completely from the Ryuk damage, critical services were recovered rapidly:


"For the most part, the production operation did not miss a beat and we produced all customer shipments."

Throughout the next few weeks important milestones in the restoration project were achieved in tight collaboration between Progent team members and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control functions were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • 90% of the user PCs were functioning as before the incident.

"So much of what went on in the initial days is nearly entirely a fog for me, but I will not soon forget the dedication each of the team accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable business-killing catastrophe was dodged through the efforts of top-tier professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware attack described here would have been prevented with up-to-date cyber security technology solutions and best practices, user training, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for allowing me to get rested after we made it over the most critical parts. All of you did an incredible job, and if any of your team is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Nashville a portfolio of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize modern AI technology to detect new strains of crypto-ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the entire threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate action. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and allows fast restoration of critical files, applications and virtual machines that have become lost or damaged due to component failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class support to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPPA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide centralized control and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of analysis for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common chores like network mapping, expanding your network, finding devices that require important software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management staff and your Progent consultant so that any potential issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.
For Nashville 24-Hour Crypto Cleanup Help, contact Progent at 800-993-9400 or go to Contact Progent.