Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ExpertsRansomware has become an escalating cyber pandemic that presents an existential danger for organizations poorly prepared for an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause damage. Recent strains of crypto-ransomware such as Ryuk and Hermes, as well as more as yet unnamed viruses, not only do encryption of online critical data but also infect many configured system restores and backups. Files synchronized to cloud environments can also be rendered useless. In a poorly architected environment, it can render automatic restore operations useless and basically sets the entire system back to square one.

Getting back services and information following a crypto-ransomware outage becomes a sprint against time as the victim fights to contain and eradicate the virus and to resume business-critical operations. Since ransomware needs time to spread, attacks are often launched at night, when successful penetrations tend to take more time to uncover. This multiplies the difficulty of quickly mobilizing and coordinating an experienced response team.

Progent provides a variety of solutions for securing organizations from crypto-ransomware events. These include team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with artificial intelligence capabilities to quickly identify and disable day-zero cyber threats. Progent in addition provides the services of expert ransomware recovery consultants with the skills and perseverance to rebuild a breached network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the keys to decipher all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the vital elements of your Information Technology environment. Absent the availability of essential data backups, this requires a broad complement of skills, top notch project management, and the willingness to work 24x7 until the task is finished.

For two decades, Progent has made available professional IT services for businesses in Cincinnati and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the capability to quickly identify necessary systems and integrate the remaining pieces of your Information Technology environment following a ransomware event and rebuild them into an operational system.

Progent's recovery team of experts uses powerful project management applications to orchestrate the complex recovery process. Progent understands the importance of acting quickly and together with a client's management and Information Technology staff to assign priority to tasks and to get essential systems back online as fast as humanly possible.

Customer Story: A Successful Ransomware Attack Response
A customer hired Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of using technology exposed from the U.S. NSA organization. Ryuk targets specific organizations with little or no tolerance for operational disruption and is among the most lucrative instances of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the attack and were destroyed. The client was evaluating paying the ransom (exceeding $200K) and praying for good luck, but ultimately utilized Progent.


"I canít thank you enough about the support Progent provided us throughout the most stressful time of (our) businesses existence. We would have paid the Hackers except for the confidence the Progent group gave us. The fact that you could get our e-mail and critical applications back online faster than one week was incredible. Each staff member I worked with or communicated with at Progent was urgently focused on getting our system up and was working at all hours on our behalf."

Progent worked hand in hand the client to rapidly understand and assign priority to the key systems that had to be recovered in order to restart departmental operations:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To get going, Progent adhered to ransomware event mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then started the work of bringing back online Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without AD, and the client's financials and MRP software utilized Microsoft SQL, which depends on Windows AD for security authorization to the databases.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then helped perform setup and storage recovery of critical applications. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Data Files) on user PCs and laptops in order to recover email information. A not too old offline backup of the businesses financials/MRP software made them able to restore these required programs back online. Although major work was left to recover completely from the Ryuk virus, the most important systems were returned to operations quickly:


"For the most part, the manufacturing operation never missed a beat and we produced all customer shipments."

Throughout the next couple of weeks important milestones in the recovery project were accomplished through close collaboration between Progent consultants and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server with over 4 million historical messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were 100 percent operational.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the desktop computers were fully operational.

"Much of what transpired in the initial days is mostly a fog for me, but our team will not forget the urgency each and every one of the team accomplished to give us our business back. Iíve been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A likely business catastrophe was dodged through the efforts of top-tier experts, a wide array of IT skills, and close collaboration. Although in post mortem the ransomware virus incident detailed here should have been disabled with up-to-date cyber security solutions and security best practices, user and IT administrator training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get rested after we made it over the first week. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Cincinnati a range of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation machine learning capability to detect new strains of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to manage the entire threat progression including protection, detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates your backup activities and enables fast restoration of critical data, applications and VMs that have become lost or corrupted due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can help you to recover your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, track, optimize and debug their networking hardware like switches, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating appliances that require critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management personnel and your assigned Progent consultant so that any potential problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.
For Cincinnati 24-7 Crypto Cleanup Help, reach out to Progent at 800-993-9400 or go to Contact Progent.