Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for organizations vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still inflict harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus more unnamed malware, not only encrypt online files but also infect most configured system protection mechanisms. Information synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, it can render automated restoration hopeless and basically knocks the network back to zero.

Restoring services and information after a ransomware outage becomes a sprint against time as the victim fights to stop lateral movement and cleanup the crypto-ransomware and to restore business-critical operations. Because ransomware requires time to spread, attacks are often launched on weekends, when penetrations typically take more time to notice. This compounds the difficulty of quickly marshalling and organizing an experienced mitigation team.

Progent makes available a variety of support services for protecting organizations from ransomware penetrations. Among these are staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with AI capabilities to quickly identify and quarantine zero-day cyber threats. Progent in addition offers the services of seasoned ransomware recovery professionals with the skills and perseverance to reconstruct a breached network as urgently as possible.

Progent's Ransomware Recovery Help
Following a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the keys to decrypt any or all of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the key components of your Information Technology environment. Without the availability of full data backups, this requires a wide complement of skills, professional project management, and the willingness to work non-stop until the recovery project is done.

For twenty years, Progent has offered professional IT services for companies in Honolulu and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the ability to efficiently determine critical systems and re-organize the surviving pieces of your network environment after a ransomware attack and assemble them into a functioning system.

Progent's ransomware group has top notch project management tools to coordinate the sophisticated restoration process. Progent knows the urgency of working swiftly and together with a customerís management and Information Technology resources to prioritize tasks and to get critical services back on line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A small business hired Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk targets specific businesses with little ability to sustain operational disruption and is one of the most lucrative instances of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area with around 500 employees. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most critical time of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent experts provided us. The fact that you were able to get our messaging and production servers back on-line faster than 1 week was incredible. Every single expert I interacted with or messaged at Progent was totally committed on getting our system up and was working day and night on our behalf."

Progent worked together with the customer to quickly identify and prioritize the key applications that had to be addressed to make it possible to resume departmental operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed ransomware incident response best practices by halting the spread and cleaning systems of viruses. Progent then began the steps of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without AD, and the customerís financials and MRP system utilized Microsoft SQL, which needs Active Directory for security authorization to the data.

In less than 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery on mission critical systems. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Offline Data Files) on staff PCs in order to recover mail data. A recent offline backup of the client's accounting/ERP systems made them able to return these required applications back online for users. Although a large amount of work remained to recover totally from the Ryuk attack, critical services were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer shipments."

Throughout the next couple of weeks important milestones in the recovery process were made through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Server containing more than 4 million archived messages was spun up and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were completely restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • 90% of the desktops and laptops were back into operation.

"A huge amount of what happened that first week is nearly entirely a haze for me, but our team will not soon forget the urgency each and every one of your team put in to help get our business back. Iíve been working with Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."

Conclusion
A potential company-ending catastrophe was evaded through the efforts of hard-working professionals, a wide array of technical expertise, and tight teamwork. Although in post mortem the ransomware incident described here would have been identified and disabled with modern security technology and best practices, user education, and appropriate security procedures for data protection and applying software patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for letting me get some sleep after we got over the first week. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Honolulu a variety of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services include modern AI capability to uncover zero-day variants of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based AV products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the complete threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your organization's unique requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent attention. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical files, apps and virtual machines that have become lost or damaged due to component failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can help you to recover your critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, track, optimize and troubleshoot their networking hardware like switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, finding devices that require important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT staff and your Progent engineering consultant so all potential problems can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Honolulu Ransomware Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.