Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that poses an existential danger for businesses vulnerable to an assault. Versions of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause destruction. Modern strains of ransomware like Ryuk and Hermes, plus more as yet unnamed viruses, not only encrypt online data files but also infiltrate all accessible system protection mechanisms. Information replicated to cloud environments can also be corrupted. In a vulnerable environment, it can render any recovery impossible and basically knocks the datacenter back to zero.

Getting back online programs and data following a ransomware outage becomes a race against the clock as the targeted organization fights to stop lateral movement and remove the ransomware and to restore mission-critical operations. Because ransomware takes time to spread, attacks are often launched during weekends and nights, when penetrations typically take more time to uncover. This compounds the difficulty of promptly mobilizing and organizing an experienced mitigation team.

Progent provides a variety of help services for protecting businesses from crypto-ransomware penetrations. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security appliances with artificial intelligence capabilities to automatically detect and suppress zero-day threats. Progent in addition offers the services of seasoned ransomware recovery professionals with the track record and perseverance to rebuild a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the codes to unencrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the essential components of your Information Technology environment. Absent access to full system backups, this calls for a broad complement of skills, professional team management, and the ability to work 24x7 until the job is done.

For decades, Progent has offered expert Information Technology services for businesses in Omaha and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably understand necessary systems and organize the remaining pieces of your Information Technology environment following a ransomware penetration and assemble them into a functioning system.

Progent's security team uses powerful project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of working quickly and together with a client's management and IT staff to prioritize tasks and to put the most important applications back online as fast as possible.

Customer Story: A Successful Ransomware Attack Response
A small business sought out Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, suspected of adopting strategies exposed from the U.S. NSA organization. Ryuk seeks specific organizations with little tolerance for disruption and is among the most lucrative incarnations of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has about 500 workers. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. Most of the client's system backups had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately engaged Progent.


"I cannot say enough in regards to the help Progent provided us during the most critical period of (our) businesses life. We most likely would have paid the criminal gangs if it wasnít for the confidence the Progent team gave us. That you could get our messaging and key servers back online in less than one week was earth shattering. Every single staff member I worked with or messaged at Progent was urgently focused on getting us restored and was working breakneck pace on our behalf."

Progent worked hand in hand the client to quickly get our arms around and prioritize the mission critical services that had to be recovered to make it possible to restart company functions:

  • Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent adhered to Anti-virus penetration response industry best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the steps of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without Windows AD, and the businessesí MRP software used SQL Server, which requires Windows AD for security authorization to the databases.

Within 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery on the most important servers. All Exchange data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Folder Files) on various workstations and laptops to recover email messages. A not too old off-line backup of the businesses financials/ERP software made it possible to recover these required services back servicing users. Although a large amount of work remained to recover completely from the Ryuk virus, essential systems were restored rapidly:


"For the most part, the production operation did not miss a beat and we delivered all customer shipments."

Over the next couple of weeks important milestones in the recovery project were completed in close collaboration between Progent consultants and the customer:

  • In-house web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully recovered.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the desktop computers were being used by staff.

"A huge amount of what happened that first week is nearly entirely a fog for me, but our team will not soon forget the care each and every one of you put in to help get our business back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A potential business-ending catastrophe was avoided through the efforts of dedicated experts, a wide array of subject matter expertise, and close collaboration. Although in hindsight the ransomware penetration described here could have been identified and disabled with up-to-date cyber security technology and recognized best practices, user training, and properly executed security procedures for data backup and proper patching controls, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has proven experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for allowing me to get some sleep after we made it over the initial push. Everyone did an impressive effort, and if anyone is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Omaha a range of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize modern AI capability to detect new variants of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the complete threat lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and allows rapid restoration of critical files, applications and VMs that have become lost or corrupted as a result of component breakdowns, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to provide web-based control and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The cloud filter serves as a first line of defense and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, reconfigure and debug their networking hardware like switches, firewalls, and access points plus servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices on your network, tracks performance, and sends alerts when problems are detected. By automating time-consuming network management processes, WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding appliances that require important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the state of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management staff and your assigned Progent consultant so all looming issues can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For Omaha 24/7 Ransomware Repair Consultants, contact Progent at 800-993-9400 or go to Contact Progent.