Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause damage. Modern strains of crypto-ransomware such as Ryuk and Hermes, as well as daily as yet unnamed newcomers, not only do encryption of online files but also infect all accessible system backup. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, it can make any restore operations useless and effectively knocks the entire system back to square one.

Recovering programs and data after a ransomware attack becomes a sprint against the clock as the targeted business struggles to contain and eradicate the virus and to resume enterprise-critical operations. Since ransomware takes time to spread, assaults are often launched at night, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of rapidly assembling and orchestrating a capable response team.

Progent makes available a range of services for securing organizations from ransomware events. Among these are team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with artificial intelligence capabilities to automatically detect and suppress new cyber attacks. Progent also offers the services of seasoned ransomware recovery consultants with the talent and perseverance to reconstruct a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed codes to decipher any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the critical components of your Information Technology environment. Absent the availability of full data backups, this calls for a broad range of skills, top notch team management, and the capability to work non-stop until the task is finished.

For twenty years, Progent has provided certified expert IT services for businesses in Oklahoma CIty and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience provides Progent the ability to rapidly identify necessary systems and organize the remaining parts of your computer network environment after a crypto-ransomware event and assemble them into an operational network.

Progent's recovery team of experts uses top notch project management tools to orchestrate the sophisticated restoration process. Progent appreciates the urgency of working swiftly and in concert with a client's management and IT resources to assign priority to tasks and to put essential systems back on-line as soon as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Response
A small business sought out Progent after their network was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state hackers, suspected of adopting approaches leaked from Americaís NSA organization. Ryuk targets specific organizations with little or no room for operational disruption and is among the most lucrative versions of crypto-ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area with around 500 workers. The Ryuk penetration had disabled all company operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end engaged Progent.


"I canít thank you enough about the expertise Progent gave us throughout the most critical time of (our) companyís life. We would have paid the cyber criminals behind the attack except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and production applications back into operation sooner than a week was something I thought impossible. Every single staff member I interacted with or messaged at Progent was laser focused on getting our system up and was working all day and night to bail us out."

Progent worked with the client to quickly understand and assign priority to the critical systems that needed to be addressed to make it possible to restart business operations:

  • Microsoft Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the steps of bringing back online Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the customerís MRP system leveraged Microsoft SQL Server, which requires Active Directory for access to the information.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery of mission critical systems. All Exchange schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to find local OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers in order to recover mail information. A not too old off-line backup of the customerís accounting software made them able to restore these vital applications back servicing users. Although significant work remained to recover fully from the Ryuk damage, critical services were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we did not miss any customer orders."

Throughout the following few weeks critical milestones in the recovery process were achieved in tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Exchange Server with over four million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully functional.
  • A new Palo Alto Networks 850 firewall was set up.
  • Ninety percent of the desktops and laptops were functioning as before the incident.

"A huge amount of what went on in the initial days is nearly entirely a fog for me, but my team will not forget the dedication each and every one of the team accomplished to help get our company back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A likely enterprise-killing disaster was dodged due to dedicated professionals, a wide array of technical expertise, and close collaboration. Although in post mortem the ransomware incident detailed here should have been blocked with advanced cyber security technology solutions and security best practices, user and IT administrator education, and well thought out security procedures for information protection and proper patching controls, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for making it so I could get rested after we made it over the initial push. All of you did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Oklahoma CIty a variety of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include modern machine learning capability to uncover new variants of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to address the entire threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent's consultants can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of vital data, apps and VMs that have become lost or damaged as a result of component failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can deliver world-class support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide centralized control and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of analysis for incoming email. For outbound email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that need important updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent consultant so all potential issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Oklahoma CIty 24x7 Ransomware Remediation Help, contact Progent at 800-993-9400 or go to Contact Progent.