Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that represents an existential danger for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause damage. More recent variants of ransomware such as Ryuk and Hermes, plus additional as yet unnamed viruses, not only encrypt online critical data but also infect many accessible system backups. Data synched to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can render any restore operations hopeless and basically sets the datacenter back to square one.

Restoring applications and information after a ransomware event becomes a sprint against time as the targeted business struggles to contain the damage and remove the crypto-ransomware and to restore business-critical operations. Since crypto-ransomware requires time to replicate, penetrations are usually launched during weekends and nights, when penetrations tend to take longer to detect. This compounds the difficulty of rapidly mobilizing and coordinating a knowledgeable response team.

Progent makes available a range of services for protecting businesses from ransomware penetrations. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with machine learning capabilities to automatically discover and extinguish new threats. Progent in addition provides the services of seasoned ransomware recovery professionals with the talent and perseverance to rebuild a compromised network as urgently as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the needed keys to decrypt any of your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the essential components of your Information Technology environment. Without access to complete information backups, this calls for a wide complement of skill sets, professional team management, and the ability to work 24x7 until the task is complete.

For twenty years, Progent has made available certified expert Information Technology services for businesses in Orlando and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience affords Progent the capability to efficiently identify necessary systems and organize the remaining pieces of your IT system following a crypto-ransomware attack and assemble them into a functioning network.

Progent's security team of experts deploys top notch project management applications to coordinate the complex recovery process. Progent understands the importance of acting rapidly and together with a client's management and IT resources to assign priority to tasks and to put critical applications back on line as soon as humanly possible.

Client Story: A Successful Ransomware Intrusion Recovery
A business sought out Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state sponsored hackers, possibly using approaches leaked from the United States National Security Agency. Ryuk attacks specific companies with little tolerance for disruption and is one of the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago with about 500 staff members. The Ryuk penetration had brought down all essential operations and manufacturing processes. Most of the client's system backups had been online at the time of the intrusion and were encrypted. The client was evaluating paying the ransom (more than $200,000) and hoping for the best, but in the end utilized Progent.


"I canít tell you enough in regards to the care Progent provided us throughout the most fearful period of (our) businesses existence. We had little choice but to pay the cyber criminals if not for the confidence the Progent group afforded us. That you could get our e-mail system and essential applications back on-line sooner than one week was incredible. Each person I got help from or communicated with at Progent was laser focused on getting us back on-line and was working non-stop to bail us out."

Progent worked with the client to quickly get our arms around and assign priority to the key services that had to be recovered in order to restart business functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent followed Anti-virus event mitigation industry best practices by stopping the spread and disinfecting systems. Progent then started the task of restoring Windows Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not function without AD, and the client's accounting and MRP software utilized Microsoft SQL, which depends on Active Directory services for authentication to the databases.

Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery of needed applications. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Off-Line Data Files) on staff PCs in order to recover email information. A not too old offline backup of the businesses accounting systems made them able to restore these required applications back servicing users. Although a lot of work was left to recover fully from the Ryuk attack, essential systems were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we produced all customer sales."

During the following couple of weeks critical milestones in the restoration process were achieved in tight collaboration between Progent engineers and the customer:

  • Internal web sites were restored with no loss of data.
  • The MailStore Server exceeding four million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the desktops and laptops were operational.

"So much of what went on in the initial days is nearly entirely a fog for me, but my team will not soon forget the commitment each and every one of your team accomplished to give us our business back. I have trusted Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business catastrophe was avoided with results-oriented professionals, a wide spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here should have been disabled with modern security technology and recognized best practices, user education, and properly executed security procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we got over the most critical parts. Everyone did an amazing effort, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Orlando a variety of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services include modern machine learning technology to detect new variants of ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to address the complete malware attack progression including filtering, detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with government and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of vital files, applications and virtual machines that have become unavailable or corrupted due to hardware failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to deliver web-based management and comprehensive security for all your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network maps are kept updated, copies and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating devices that require important software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT staff and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
For 24/7/365 Orlando Crypto Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.