Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that presents an enterprise-level danger for businesses vulnerable to an assault. Different iterations of ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to inflict damage. Newer versions of ransomware such as Ryuk and Hermes, along with frequent as yet unnamed newcomers, not only encrypt on-line critical data but also infiltrate most available system restores and backups. Information replicated to cloud environments can also be rendered useless. In a vulnerable system, this can render automated recovery hopeless and effectively sets the entire system back to square one.

Retrieving programs and data following a ransomware attack becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and clear the virus and to resume business-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are usually sprung during weekends and nights, when successful penetrations tend to take more time to uncover. This compounds the difficulty of quickly marshalling and coordinating a qualified response team.

Progent has an assortment of services for protecting organizations from crypto-ransomware attacks. These include team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with machine learning technology to intelligently discover and quarantine new cyber attacks. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the skills and perseverance to re-deploy a compromised system as soon as possible.

Progent's Ransomware Recovery Help
Following a crypto-ransomware event, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the codes to unencrypt any or all of your files. Kaspersky determined that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the essential elements of your IT environment. Without access to complete information backups, this requires a wide range of skill sets, professional team management, and the willingness to work non-stop until the job is finished.

For two decades, Progent has provided certified expert IT services for companies in Clearwater and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of experience affords Progent the capability to quickly determine important systems and integrate the surviving parts of your network environment following a ransomware event and configure them into an operational network.

Progent's recovery group uses best of breed project management tools to coordinate the complicated restoration process. Progent understands the urgency of acting swiftly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put key services back online as fast as possible.

Client Story: A Successful Crypto-Ransomware Virus Restoration
A customer engaged Progent after their network system was brought down by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored criminal gangs, possibly using strategies exposed from the U.S. NSA organization. Ryuk attacks specific companies with little or no room for operational disruption and is one of the most lucrative versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago with about 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200K) and hoping for the best, but in the end reached out to Progent.


"I canít tell you enough about the help Progent gave us during the most stressful period of (our) companyís survival. We may have had to pay the Hackers except for the confidence the Progent group gave us. The fact that you could get our messaging and critical applications back into operation sooner than 1 week was beyond my wildest dreams. Each person I spoke to or texted at Progent was absolutely committed on getting us back online and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly determine and assign priority to the critical areas that needed to be recovered to make it possible to restart business functions:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To get going, Progent followed Anti-virus penetration mitigation industry best practices by halting the spread and clearing infected systems. Progent then began the process of recovering Windows Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the client's financials and MRP applications leveraged Microsoft SQL, which needs Active Directory for security authorization to the data.

Within two days, Progent was able to recover Active Directory to its pre-attack state. Progent then completed reinstallations and hard drive recovery of critical applications. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Off-Line Data Files) on staff PCs in order to recover mail data. A recent offline backup of the businesses financials/ERP systems made it possible to recover these essential services back online. Although a lot of work still had to be done to recover completely from the Ryuk damage, the most important services were recovered rapidly:


"For the most part, the production operation survived unscathed and we delivered all customer deliverables."

During the following couple of weeks critical milestones in the restoration process were accomplished through tight collaboration between Progent consultants and the customer:

  • Internal web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory modules were 100% recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • 90% of the user desktops were back into operation.

"Much of what was accomplished those first few days is mostly a blur for me, but my management will not soon forget the dedication each and every one of your team accomplished to help get our business back. I have trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."

Conclusion
A potential business-ending catastrophe was averted due to dedicated experts, a wide spectrum of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware virus incident described here could have been shut down with modern security solutions and best practices, user training, and appropriate security procedures for backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), Iím grateful for allowing me to get some sleep after we got past the first week. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Clearwater a variety of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover new variants of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight ASM protects local and cloud-based resources and offers a unified platform to automate the entire malware attack lifecycle including protection, detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that helps you demonstrate compliance with government and industry information security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable end-to-end solution for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates your backup activities and allows rapid restoration of vital data, applications and VMs that have become unavailable or damaged due to hardware failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery consultants can provide advanced support to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to provide web-based management and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are kept updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that require important software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT personnel and your assigned Progent consultant so all potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Clearwater 24x7x365 Crypto Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.