Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for businesses vulnerable to an assault. Versions of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still inflict harm. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as daily as yet unnamed malware, not only do encryption of online files but also infiltrate any accessible system restores and backups. Data synched to cloud environments can also be rendered useless. In a vulnerable system, it can make any restore operations impossible and effectively knocks the datacenter back to zero.

Getting back programs and data after a ransomware event becomes a race against the clock as the targeted organization tries its best to stop lateral movement and cleanup the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are often launched during weekends and nights, when attacks are likely to take longer to recognize. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable response team.

Progent makes available an assortment of services for securing organizations from ransomware attacks. Among these are team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with artificial intelligence technology to rapidly detect and extinguish day-zero cyber threats. Progent also provides the assistance of seasoned ransomware recovery professionals with the skills and perseverance to rebuild a breached system as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt all your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to re-install the essential components of your Information Technology environment. Absent the availability of complete system backups, this requires a wide complement of skill sets, well-coordinated team management, and the willingness to work continuously until the recovery project is finished.

For twenty years, Progent has offered professional Information Technology services for businesses in Norfolk and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise provides Progent the capability to rapidly ascertain critical systems and integrate the surviving pieces of your computer network environment following a ransomware event and rebuild them into an operational system.

Progent's security team utilizes best of breed project management tools to coordinate the complicated restoration process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT staff to assign priority to tasks and to get the most important services back online as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Virus Response
A small business engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of using techniques leaked from Americaís NSA organization. Ryuk seeks specific companies with little room for disruption and is one of the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with around 500 staff members. The Ryuk event had shut down all business operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and praying for good luck, but in the end made the decision to use Progent.


"I cannot speak enough about the support Progent gave us during the most fearful time of (our) businesses survival. We had little choice but to pay the Hackers if not for the confidence the Progent team gave us. That you could get our messaging and critical applications back on-line quicker than five days was beyond my wildest dreams. Every single expert I talked with or e-mailed at Progent was absolutely committed on getting my company operational and was working all day and night on our behalf."

Progent worked together with the client to rapidly assess and prioritize the most important areas that had to be restored in order to resume company operations:

  • Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed AV/Malware Processes event response best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the steps of restoring Microsoft AD, the core of enterprise environments built on Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the customerís financials and MRP applications leveraged Microsoft SQL, which depends on Active Directory services for authentication to the data.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery on needed systems. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Offline Folder Files) on staff desktop computers in order to recover mail messages. A not too old off-line backup of the customerís manufacturing software made it possible to recover these vital applications back on-line. Although significant work needed to be completed to recover totally from the Ryuk event, critical systems were recovered quickly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer orders."

During the following month key milestones in the restoration project were achieved through tight collaboration between Progent consultants and the customer:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Server with over 4 million historical emails was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were completely recovered.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Ninety percent of the user workstations were back into operation.

"A huge amount of what was accomplished during the initial response is nearly entirely a fog for me, but we will not soon forget the commitment all of your team accomplished to give us our business back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."

Conclusion
A potential business-ending catastrophe was averted with dedicated professionals, a wide array of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here would have been disabled with current security technology solutions and security best practices, user education, and well thought out security procedures for information protection and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, remember that Progent's roster of experts has proven experience in ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we got over the initial push. Everyone did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Norfolk a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate modern machine learning technology to uncover new strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the complete malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent's consultants can also help you to install and verify a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows fast restoration of critical files, applications and VMs that have become unavailable or corrupted due to component failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to provide centralized control and world-class protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of analysis for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and debug their networking hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, locating devices that need critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that all looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to a different hardware solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Norfolk Crypto-Ransomware Remediation Help, contact Progent at 800-993-9400 or go to Contact Progent.