Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses unprepared for an attack. Multiple generations of ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for many years and still inflict damage. Modern strains of ransomware like Ryuk and Hermes, as well as additional unnamed viruses, not only encrypt online files but also infect many accessible system protection. Information synchronized to the cloud can also be rendered useless. In a poorly designed system, this can make automatic restore operations impossible and effectively knocks the network back to square one.

Retrieving applications and data following a ransomware outage becomes a race against the clock as the targeted business struggles to stop the spread and cleanup the ransomware and to resume enterprise-critical operations. Because ransomware needs time to move laterally, assaults are often launched on weekends and holidays, when successful penetrations may take more time to recognize. This compounds the difficulty of promptly mobilizing and coordinating a knowledgeable response team.

Progent provides an assortment of support services for protecting businesses from ransomware events. These include team education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with AI capabilities to quickly detect and quarantine day-zero cyber threats. Progent also provides the assistance of expert ransomware recovery consultants with the talent and perseverance to re-deploy a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to decrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the mission-critical components of your IT environment. Without the availability of essential system backups, this requires a broad complement of skill sets, top notch team management, and the ability to work non-stop until the job is done.

For decades, Progent has made available expert IT services for businesses in Aurora and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the ability to knowledgably understand necessary systems and re-organize the remaining pieces of your network environment following a crypto-ransomware attack and rebuild them into a functioning system.

Progent's ransomware team uses best of breed project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of working swiftly and in concert with a customerís management and IT resources to prioritize tasks and to get critical systems back on line as fast as possible.

Client Case Study: A Successful Ransomware Virus Recovery
A business contacted Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state criminal gangs, possibly adopting technology leaked from Americaís NSA organization. Ryuk goes after specific businesses with little or no room for operational disruption and is among the most profitable examples of crypto-ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has about 500 employees. The Ryuk event had frozen all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom (more than $200,000) and praying for good luck, but ultimately made the decision to use Progent.


"I cannot say enough about the care Progent provided us during the most stressful time of (our) companyís existence. We would have paid the cyber criminals behind the attack if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and important applications back into operation faster than a week was amazing. Each person I spoke to or e-mailed at Progent was urgently focused on getting us working again and was working at all hours to bail us out."

Progent worked together with the client to quickly get our arms around and assign priority to the most important areas that had to be addressed in order to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent followed ransomware incident mitigation best practices by halting the spread and performing virus removal steps. Progent then began the work of recovering Active Directory, the core of enterprise environments built on Microsoft Windows technology. Exchange email will not work without Active Directory, and the client's financials and MRP software utilized SQL Server, which depends on Windows AD for security authorization to the information.

In less than two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then performed rebuilding and hard drive recovery on needed applications. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers in order to recover mail information. A not too old offline backup of the client's accounting/MRP systems made it possible to restore these required applications back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, critical services were recovered quickly:


"For the most part, the production operation showed little impact and we produced all customer sales."

Throughout the following few weeks key milestones in the restoration process were achieved through close cooperation between Progent team members and the client:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the desktops and laptops were fully operational.

"A huge amount of what happened in the early hours is mostly a blur for me, but we will not soon forget the care each of the team put in to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A possible company-ending disaster was evaded with results-oriented experts, a wide spectrum of IT skills, and tight collaboration. Although in hindsight the ransomware virus attack described here could have been identified and blocked with up-to-date cyber security systems and recognized best practices, staff training, and appropriate security procedures for data protection and applying software patches, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for letting me get rested after we got through the most critical parts. Everyone did an amazing job, and if any of your guys is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Aurora a range of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation AI capability to detect new variants of crypto-ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including blocking, detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also assist your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight Data Protection Services automates your backup activities and allows rapid restoration of critical files, apps and VMs that have become unavailable or corrupted as a result of component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class support to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide centralized control and comprehensive protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to diagram, monitor, enhance and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding appliances that need critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management staff and your Progent consultant so any potential issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7x365 Aurora Crypto-Ransomware Removal Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.