Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that presents an enterprise-level danger for businesses vulnerable to an attack. Different versions of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to inflict destruction. More recent strains of crypto-ransomware like Ryuk and Hermes, along with additional unnamed viruses, not only do encryption of online data files but also infiltrate most configured system restores and backups. Files synched to the cloud can also be rendered useless. In a poorly designed data protection solution, it can render automated restoration hopeless and effectively sets the datacenter back to square one.

Recovering applications and data following a ransomware outage becomes a race against time as the victim tries its best to stop lateral movement and remove the ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to spread, assaults are usually launched on weekends, when penetrations are likely to take more time to identify. This compounds the difficulty of quickly marshalling and coordinating an experienced response team.

Progent offers a range of services for protecting enterprises from crypto-ransomware attacks. These include team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security solutions with artificial intelligence capabilities to automatically identify and suppress zero-day cyber threats. Progent in addition provides the assistance of expert ransomware recovery engineers with the track record and perseverance to reconstruct a breached system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to decrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the mission-critical parts of your Information Technology environment. Without the availability of full system backups, this requires a wide range of skill sets, top notch project management, and the willingness to work 24x7 until the task is over.

For decades, Progent has provided expert Information Technology services for companies in Sandy Springs and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the capability to quickly identify critical systems and consolidate the remaining components of your network environment following a ransomware event and rebuild them into an operational system.

Progent's recovery team has powerful project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of working swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to get the most important applications back online as fast as possible.

Client Story: A Successful Ransomware Incident Response
A business escalated to Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state sponsored criminal gangs, suspected of using algorithms exposed from the United States National Security Agency. Ryuk goes after specific organizations with limited room for disruption and is one of the most profitable incarnations of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with around 500 employees. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately brought in Progent.


"I cannot tell you enough about the help Progent gave us during the most critical time of (our) businesses life. We may have had to pay the cyber criminals if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and key servers back on-line sooner than a week was amazing. Each expert I interacted with or messaged at Progent was absolutely committed on getting us back online and was working day and night on our behalf."

Progent worked together with the customer to quickly identify and prioritize the most important systems that had to be recovered in order to continue company operations:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To start, Progent followed AV/Malware Processes penetration mitigation best practices by stopping the spread and removing active viruses. Progent then began the steps of restoring Windows Active Directory, the core of enterprise networks built on Microsoft technology. Exchange messaging will not function without Active Directory, and the businessesí MRP software utilized Microsoft SQL, which requires Active Directory for access to the data.

In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery on key servers. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Folder Files) on various workstations in order to recover mail information. A not too old off-line backup of the client's accounting/MRP systems made it possible to recover these required services back available to users. Although a lot of work was left to recover totally from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer sales."

During the next couple of weeks key milestones in the recovery project were completed in close cooperation between Progent engineers and the client:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Exchange Server exceeding four million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory functions were 100% operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the user desktops were operational.

"A huge amount of what went on in the early hours is nearly entirely a blur for me, but our team will not soon forget the care each and every one of the team put in to give us our company back. I have been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This event was the most impressive ever."

Conclusion
A possible business-killing disaster was averted through the efforts of dedicated experts, a broad array of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here should have been stopped with modern security technology solutions and recognized best practices, staff education, and properly executed security procedures for information backup and applying software patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we got past the initial push. Everyone did an incredible job, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Sandy Springs a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation machine learning technology to uncover zero-day variants of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to address the entire threat progression including blocking, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies packaged within a single agent accessible from a single control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates your backup activities and allows fast restoration of vital files, apps and VMs that have become lost or corrupted as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security companies to deliver centralized management and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of inspection for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, enhance and debug their connectivity appliances like switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating tedious network management processes, WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, finding devices that require critical software patches, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so all looming issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can save up to half of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Sandy Springs 24-Hour CryptoLocker Cleanup Services, contact Progent at 800-993-9400 or go to Contact Progent.