Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an assault. Multiple generations of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional as yet unnamed viruses, not only encrypt on-line data but also infect most configured system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, this can render automatic recovery impossible and basically sets the entire system back to square one.

Getting back on-line programs and information following a ransomware attack becomes a race against the clock as the victim tries its best to stop lateral movement and remove the ransomware and to resume enterprise-critical activity. Since ransomware takes time to move laterally, attacks are frequently launched on weekends and holidays, when successful attacks may take more time to identify. This compounds the difficulty of promptly marshalling and orchestrating a qualified mitigation team.

Progent has a range of support services for securing enterprises from ransomware attacks. Among these are team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with AI capabilities to intelligently detect and suppress day-zero cyber threats. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the talent and commitment to rebuild a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed codes to decrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the key components of your Information Technology environment. Without the availability of essential system backups, this requires a broad range of skills, well-coordinated project management, and the ability to work non-stop until the task is done.

For two decades, Progent has offered expert Information Technology services for companies in Tucson and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently understand critical systems and integrate the surviving pieces of your network system following a ransomware attack and rebuild them into an operational network.

Progent's recovery team of experts deploys top notch project management tools to coordinate the complicated restoration process. Progent knows the urgency of acting swiftly and in concert with a customerís management and IT team members to assign priority to tasks and to put essential services back online as soon as possible.

Customer Case Study: A Successful Ransomware Incident Response
A small business escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, suspected of adopting algorithms exposed from the United States NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is among the most profitable instances of ransomware malware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and praying for the best, but in the end brought in Progent.


"I cannot thank you enough about the expertise Progent provided us throughout the most critical time of (our) businesses existence. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent team afforded us. The fact that you were able to get our messaging and critical servers back quicker than one week was something I thought impossible. Every single staff member I worked with or communicated with at Progent was hell bent on getting my company operational and was working at all hours on our behalf."

Progent worked together with the client to quickly identify and assign priority to the most important elements that needed to be addressed to make it possible to resume company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware penetration mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then started the task of recovering Microsoft AD, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not operate without AD, and the businessesí MRP system utilized Microsoft SQL Server, which needs Windows AD for security authorization to the data.

Within 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then assisted with rebuilding and storage recovery on key servers. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers and laptops to recover mail messages. A recent offline backup of the businesses accounting software made it possible to restore these required programs back on-line. Although a large amount of work remained to recover fully from the Ryuk damage, critical services were restored quickly:


"For the most part, the production line operation never missed a beat and we did not miss any customer orders."

During the following month key milestones in the recovery project were achieved through close cooperation between Progent consultants and the client:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what transpired during the initial response is mostly a haze for me, but I will not forget the care all of you accomplished to give us our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a life saver."

Conclusion
A potential enterprise-killing disaster was avoided through the efforts of top-tier experts, a wide array of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here should have been identified and prevented with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), Iím grateful for letting me get rested after we got through the most critical parts. Everyone did an fabulous job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Tucson a portfolio of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern AI technology to detect new variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to address the entire threat lifecycle including filtering, identification, containment, remediation, and forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also help you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates your backup processes and enables fast recovery of critical files, applications and virtual machines that have become unavailable or corrupted as a result of hardware failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for incoming email. For outbound email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, track, enhance and debug their connectivity hardware like switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that require important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the state of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Tucson Ransomware Recovery Consulting, contact Progent at 800-993-9400 or go to Contact Progent.