Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses unprepared for an assault. Different iterations of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still cause destruction. Newer variants of ransomware like Ryuk and Hermes, plus additional as yet unnamed viruses, not only encrypt on-line files but also infect many accessible system backups. Information replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can make automated restore operations useless and basically sets the network back to square one.

Restoring programs and information following a crypto-ransomware event becomes a race against time as the targeted business tries its best to stop lateral movement and clear the virus and to restore mission-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are often launched at night, when penetrations may take longer to identify. This multiplies the difficulty of promptly mobilizing and coordinating a capable mitigation team.

Progent has an assortment of help services for securing businesses from crypto-ransomware attacks. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with AI capabilities to rapidly identify and disable day-zero threats. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to restore a breached network as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to decipher any of your information. Kaspersky estimated that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the key components of your IT environment. Without access to full information backups, this requires a wide complement of skill sets, professional team management, and the willingness to work continuously until the recovery project is completed.

For twenty years, Progent has offered professional Information Technology services for businesses in Cheyenne and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience affords Progent the ability to knowledgably ascertain important systems and re-organize the surviving components of your Information Technology environment following a crypto-ransomware penetration and configure them into an operational system.

Progent's recovery team uses state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of acting rapidly and together with a client's management and Information Technology staff to prioritize tasks and to put essential applications back on-line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Virus Response
A customer contacted Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored cybercriminals, possibly using algorithms exposed from the United States NSA organization. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most lucrative versions of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has around 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the intrusion and were encrypted. The client considered paying the ransom (more than $200,000) and hoping for the best, but ultimately made the decision to use Progent.


"I canít tell you enough in regards to the care Progent gave us throughout the most fearful period of (our) companyís existence. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent experts provided us. That you were able to get our messaging and key servers back quicker than seven days was amazing. Every single expert I got help from or messaged at Progent was hell bent on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the client to quickly identify and assign priority to the key systems that had to be restored in order to restart business operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed ransomware penetration mitigation industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the process of restoring Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory for security authorization to the information.

Within 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then charged ahead with setup and hard drive recovery on needed servers. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Off-Line Data Files) on various workstations and laptops to recover mail information. A recent offline backup of the customerís accounting/MRP software made them able to restore these required applications back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, essential systems were recovered rapidly:


"For the most part, the production operation was never shut down and we produced all customer shipments."

During the next month key milestones in the restoration process were accomplished in close cooperation between Progent consultants and the client:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Server with over four million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user desktops were back into operation.

"A lot of what went on those first few days is nearly entirely a blur for me, but my team will not forget the dedication all of the team accomplished to give us our business back. Iíve been working together with Progent for the past 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was a testament to your capabilities."

Conclusion
A likely company-ending disaster was dodged with hard-working professionals, a wide array of knowledge, and tight teamwork. Although in hindsight the ransomware virus penetration detailed here would have been identified and disabled with advanced cyber security solutions and ISO/IEC 27001 best practices, team training, and appropriate security procedures for information protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for letting me get rested after we got over the most critical parts. Everyone did an fabulous effort, and if any of your team is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Cheyenne a range of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to detect zero-day strains of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that meets your organization's specific needs and that allows you demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also assist your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital files, applications and VMs that have become lost or corrupted due to component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced support to set up ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide web-based management and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for incoming email. For outbound email, the local security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, monitor, reconfigure and debug their connectivity appliances such as switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating devices that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by checking the state of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT staff and your Progent engineering consultant so that all looming problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Cheyenne Ransomware Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.