Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an attack. Versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to inflict harm. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, plus frequent as yet unnamed newcomers, not only encrypt on-line data files but also infect most configured system backup. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, this can render automated restore operations hopeless and effectively sets the network back to zero.

Getting back online programs and data following a ransomware outage becomes a race against time as the targeted business fights to contain and remove the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are frequently sprung on weekends and holidays, when attacks typically take longer to identify. This compounds the difficulty of promptly assembling and orchestrating a knowledgeable mitigation team.

Progent has a variety of services for protecting organizations from ransomware penetrations. Among these are staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with artificial intelligence technology to intelligently identify and suppress day-zero threats. Progent in addition can provide the services of expert ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to decipher all your data. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of complete system backups, this requires a broad complement of skill sets, professional project management, and the capability to work 24x7 until the task is over.

For decades, Progent has made available certified expert IT services for companies in Oklahoma CIty and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the skills to quickly understand important systems and consolidate the remaining pieces of your IT environment after a ransomware event and assemble them into an operational system.

Progent's recovery team of experts utilizes top notch project management tools to orchestrate the complex restoration process. Progent appreciates the importance of working swiftly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to put essential services back on-line as fast as possible.

Customer Story: A Successful Ransomware Incident Recovery
A small business hired Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, suspected of adopting strategies exposed from the United States NSA organization. Ryuk seeks specific companies with limited tolerance for disruption and is one of the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago and has around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were eventually encrypted. The client considered paying the ransom demand (in excess of $200K) and praying for the best, but in the end brought in Progent.


"I cannot thank you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses existence. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and essential servers back faster than a week was amazing. Each staff member I talked with or texted at Progent was amazingly focused on getting our system up and was working 24/7 on our behalf."

Progent worked with the client to quickly identify and prioritize the mission critical systems that needed to be restored to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To start, Progent followed ransomware event response best practices by halting lateral movement and performing virus removal steps. Progent then started the process of restoring Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange email will not operate without Active Directory, and the businessesí financials and MRP applications utilized SQL Server, which needs Windows AD for access to the databases.

Within 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then assisted with reinstallations and storage recovery on needed systems. All Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers in order to recover mail information. A not too old offline backup of the customerís accounting/ERP software made it possible to restore these required services back online for users. Although major work still had to be done to recover fully from the Ryuk attack, essential systems were returned to operations rapidly:


"For the most part, the production operation ran fairly normal throughout and we did not miss any customer orders."

During the next couple of weeks critical milestones in the restoration project were made through close cooperation between Progent engineers and the customer:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought on-line and accessible to users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the desktop computers were fully operational.

"Much of what transpired in the initial days is nearly entirely a fog for me, but my management will not forget the countless hours each and every one of you accomplished to help get our business back. Iíve been working with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."

Conclusion
A possible business extinction disaster was evaded due to dedicated experts, a broad range of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus penetration detailed here would have been identified and disabled with modern security systems and ISO/IEC 27001 best practices, team education, and properly executed security procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get rested after we got over the initial fire. Everyone did an incredible job, and if anyone is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Oklahoma CIty a range of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning technology to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to manage the entire threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate action. Progent's consultants can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates your backup processes and allows fast recovery of vital data, apps and VMs that have become lost or damaged as a result of component failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This reduces your vulnerability to external threats and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper level of analysis for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, enhance and debug their networking hardware like routers, firewalls, and load balancers as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept current, copies and manages the configuration of almost all devices on your network, monitors performance, and sends alerts when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that require important software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT personnel and your Progent engineering consultant so any potential issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7x365 Oklahoma CIty CryptoLocker Removal Consultants, call Progent at 800-993-9400 or go to Contact Progent.