Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict harm. Modern versions of crypto-ransomware like Ryuk and Hermes, along with frequent as yet unnamed viruses, not only do encryption of on-line data but also infiltrate all accessible system restores and backups. Information replicated to cloud environments can also be corrupted. In a vulnerable data protection solution, it can make automatic restore operations useless and basically sets the entire system back to square one.

Getting back services and information following a ransomware attack becomes a sprint against time as the victim struggles to contain and remove the ransomware and to restore business-critical operations. Since crypto-ransomware needs time to spread, assaults are usually sprung on weekends, when successful penetrations tend to take more time to identify. This multiplies the difficulty of promptly mobilizing and coordinating a qualified response team.

Progent has a variety of help services for protecting businesses from crypto-ransomware attacks. These include staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with AI capabilities to quickly detect and suppress new threats. Progent also provides the services of expert ransomware recovery consultants with the track record and perseverance to re-deploy a compromised system as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed keys to unencrypt any or all of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the vital components of your Information Technology environment. Without access to full information backups, this calls for a wide range of skill sets, professional project management, and the ability to work non-stop until the job is finished.

For two decades, Progent has made available certified expert Information Technology services for companies in Lexington-Fayette and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise affords Progent the skills to quickly understand necessary systems and consolidate the remaining parts of your network environment after a crypto-ransomware event and rebuild them into a functioning system.

Progent's ransomware group uses state-of-the-art project management systems to orchestrate the complicated restoration process. Progent knows the urgency of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get key systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Virus Restoration
A customer engaged Progent after their network system was taken over by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state hackers, suspected of using algorithms exposed from Americaís NSA organization. Ryuk attacks specific companies with little room for disruption and is among the most profitable versions of ransomware malware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area with around 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than $200K) and praying for good luck, but in the end engaged Progent.


"I canít thank you enough about the care Progent gave us throughout the most stressful period of (our) companyís survival. We would have paid the cyber criminals behind the attack except for the confidence the Progent experts afforded us. That you were able to get our messaging and critical applications back online faster than a week was incredible. Each person I spoke to or messaged at Progent was amazingly focused on getting my company operational and was working non-stop on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the mission critical services that had to be addressed to make it possible to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and disinfecting systems. Progent then initiated the process of recovering Microsoft Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not work without Active Directory, and the client's financials and MRP applications utilized Microsoft SQL Server, which needs Windows AD for authentication to the databases.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then completed setup and storage recovery on essential applications. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Off-Line Data Files) on user desktop computers and laptops in order to recover email data. A not too old off-line backup of the client's accounting/ERP software made them able to recover these essential services back online. Although significant work was left to recover fully from the Ryuk attack, essential services were restored rapidly:


"For the most part, the manufacturing operation was never shut down and we delivered all customer shipments."

Throughout the next few weeks key milestones in the restoration process were completed through tight cooperation between Progent engineers and the client:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the desktops and laptops were fully operational.

"A huge amount of what was accomplished in the initial days is mostly a haze for me, but I will not soon forget the care each of the team put in to give us our business back. I have been working with Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential business extinction catastrophe was dodged by dedicated professionals, a broad spectrum of technical expertise, and close collaboration. Although in retrospect the ransomware virus penetration detailed here would have been disabled with advanced security technology solutions and best practices, user training, and properly executed security procedures for information protection and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we made it past the initial push. All of you did an amazing effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Lexington-Fayette a variety of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and provides a single platform to automate the complete malware attack progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight DPS automates and monitors your backup activities and allows rapid restoration of vital files, applications and VMs that have become lost or corrupted due to hardware breakdowns, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of analysis for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, monitor, optimize and debug their networking hardware such as routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating complex network management processes, WAN Watch can cut hours off common chores like network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management technology to keep your IT system running efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so that any potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can save up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7 Lexington-Fayette Ransomware Cleanup Consulting, contact Progent at 800-993-9400 or go to Contact Progent.