Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still inflict harm. More recent variants of crypto-ransomware such as Ryuk and Hermes, along with more unnamed viruses, not only encrypt online files but also infiltrate all available system protection. Files synched to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can make automated recovery hopeless and basically knocks the entire system back to square one.

Retrieving programs and data following a crypto-ransomware intrusion becomes a race against time as the victim tries its best to stop the spread and cleanup the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware needs time to replicate, assaults are often sprung on weekends and holidays, when successful penetrations are likely to take more time to notice. This compounds the difficulty of rapidly assembling and organizing a knowledgeable mitigation team.

Progent makes available an assortment of support services for securing enterprises from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with machine learning capabilities to quickly discover and disable zero-day threats. Progent also offers the services of veteran ransomware recovery consultants with the track record and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to re-install the key components of your Information Technology environment. Absent access to full system backups, this calls for a broad complement of skill sets, top notch team management, and the willingness to work non-stop until the recovery project is complete.

For twenty years, Progent has made available professional Information Technology services for companies in Nashville and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to quickly determine necessary systems and consolidate the remaining components of your computer network system after a ransomware attack and configure them into a functioning system.

Progent's recovery group uses best of breed project management tools to coordinate the sophisticated recovery process. Progent understands the importance of acting rapidly and in concert with a customerís management and Information Technology resources to prioritize tasks and to get the most important applications back online as fast as possible.

Client Case Study: A Successful Ransomware Attack Restoration
A customer contacted Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state hackers, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is one of the most profitable versions of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago with around 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.


"I cannot speak enough in regards to the expertise Progent gave us during the most critical period of (our) companyís survival. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts gave us. That you could get our e-mail and production servers back on-line quicker than seven days was beyond my wildest dreams. Every single expert I got help from or messaged at Progent was laser focused on getting us operational and was working at all hours to bail us out."

Progent worked together with the customer to quickly get our arms around and assign priority to the mission critical services that had to be addressed in order to continue departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event mitigation best practices by halting lateral movement and removing active viruses. Progent then initiated the process of restoring Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not work without Windows AD, and the client's MRP software utilized SQL Server, which depends on Active Directory for authentication to the information.

Within 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then accomplished setup and hard drive recovery on essential applications. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on team workstations and laptops in order to recover mail information. A not too old offline backup of the customerís accounting/MRP software made them able to recover these essential programs back online. Although major work remained to recover completely from the Ryuk damage, critical services were recovered quickly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer shipments."

Throughout the next couple of weeks critical milestones in the restoration project were achieved in tight collaboration between Progent consultants and the customer:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Server containing more than four million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were 100% recovered.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the desktops and laptops were operational.

"So much of what was accomplished in the early hours is nearly entirely a blur for me, but my team will not forget the care each of your team put in to help get our business back. Iíve trusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was the most impressive ever."

Conclusion
A probable business catastrophe was evaded through the efforts of results-oriented professionals, a broad range of technical expertise, and close collaboration. Although upon completion of forensics the ransomware incident described here would have been disabled with advanced security solutions and ISO/IEC 27001 best practices, team education, and appropriate security procedures for data protection and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get rested after we got through the initial fire. All of you did an incredible effort, and if anyone is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Nashville a range of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include modern AI technology to uncover new strains of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a single platform to manage the complete malware attack progression including filtering, detection, containment, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP environment that meets your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid recovery of vital data, applications and virtual machines that have become unavailable or corrupted due to component failures, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security vendors to deliver centralized control and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, track, enhance and debug their networking appliances like routers, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that require critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management personnel and your assigned Progent consultant so any looming issues can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate as much as 50% of time spent trying to find critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For Nashville 24/7 Crypto Cleanup Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.