Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that poses an enterprise-level threat for organizations poorly prepared for an assault. Different iterations of ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to inflict destruction. More recent versions of ransomware like Ryuk and Hermes, along with frequent unnamed viruses, not only do encryption of on-line critical data but also infect most available system restores and backups. Files synchronized to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can make any recovery useless and basically sets the network back to zero.

Retrieving applications and information following a crypto-ransomware event becomes a sprint against the clock as the victim fights to contain and eradicate the ransomware and to restore mission-critical operations. Because crypto-ransomware needs time to spread, penetrations are often sprung during weekends and nights, when attacks are likely to take longer to detect. This multiplies the difficulty of rapidly mobilizing and organizing an experienced mitigation team.

Progent offers a range of support services for securing enterprises from crypto-ransomware penetrations. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with artificial intelligence capabilities to quickly discover and disable new threats. Progent in addition can provide the services of expert ransomware recovery engineers with the track record and commitment to restore a compromised environment as quickly as possible.

Progent's Ransomware Recovery Help
Following a ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will return the needed keys to unencrypt all your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the vital parts of your IT environment. Absent the availability of essential information backups, this requires a wide range of skill sets, well-coordinated project management, and the willingness to work continuously until the job is over.

For decades, Progent has made available expert Information Technology services for companies in Virginia Beach and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience provides Progent the capability to rapidly ascertain necessary systems and integrate the surviving parts of your Information Technology system following a crypto-ransomware penetration and assemble them into a functioning system.

Progent's ransomware group has powerful project management systems to orchestrate the sophisticated recovery process. Progent knows the urgency of working quickly and together with a client's management and Information Technology team members to assign priority to tasks and to get critical applications back online as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Recovery
A business hired Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, possibly adopting technology exposed from Americaís NSA organization. Ryuk goes after specific businesses with little or no room for operational disruption and is one of the most profitable versions of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with about 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and praying for the best, but ultimately called Progent.


"I cannot tell you enough in regards to the support Progent provided us during the most fearful period of (our) companyís survival. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and essential servers back into operation faster than seven days was earth shattering. Each expert I talked with or communicated with at Progent was laser focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked with the client to rapidly determine and prioritize the mission critical areas that needed to be recovered to make it possible to resume company functions:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes event mitigation best practices by halting the spread and clearing infected systems. Progent then started the task of recovering Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the businessesí MRP applications used Microsoft SQL, which requires Active Directory for authentication to the databases.

Within two days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and storage recovery of essential servers. All Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST files (Microsoft Outlook Offline Folder Files) on staff workstations in order to recover mail messages. A not too old off-line backup of the customerís accounting/ERP systems made them able to return these vital services back available to users. Although major work still had to be done to recover fully from the Ryuk event, core services were restored quickly:


"For the most part, the production operation survived unscathed and we produced all customer deliverables."

Over the next couple of weeks key milestones in the recovery project were accomplished through tight cooperation between Progent team members and the client:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server with over four million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were completely operational.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the desktop computers were being used by staff.

"So much of what occurred in the early hours is nearly entirely a haze for me, but my management will not forget the countless hours all of the team put in to give us our company back. Iíve trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible business-ending catastrophe was averted due to dedicated experts, a broad array of knowledge, and close teamwork. Although upon completion of forensics the ransomware incident described here should have been identified and stopped with modern cyber security solutions and best practices, user and IT administrator education, and properly executed security procedures for data protection and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for letting me get rested after we got over the first week. Everyone did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Virginia Beach a range of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include next-generation machine learning technology to uncover new variants of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including blocking, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of critical data, apps and VMs that have become unavailable or damaged due to component failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always current, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating complex management activities, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, finding devices that require critical updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network running efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so that all potential issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Virginia Beach Crypto Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.