Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that represents an extinction-level threat for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware like the Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict havoc. Newer versions of crypto-ransomware like Ryuk and Hermes, as well as daily as yet unnamed malware, not only do encryption of online files but also infect many configured system backups. Data synched to cloud environments can also be ransomed. In a poorly architected data protection solution, this can render automatic restoration impossible and effectively sets the network back to square one.

Recovering services and information following a ransomware attack becomes a sprint against time as the targeted organization fights to contain the damage and remove the ransomware and to resume enterprise-critical operations. Since crypto-ransomware takes time to spread, attacks are usually sprung during weekends and nights, when successful penetrations in many cases take longer to uncover. This multiplies the difficulty of promptly mobilizing and orchestrating a capable mitigation team.

Progent provides a variety of support services for protecting businesses from crypto-ransomware penetrations. Among these are team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security gateways with AI capabilities to rapidly detect and suppress zero-day cyber attacks. Progent also offers the services of experienced ransomware recovery engineers with the track record and perseverance to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Restoration Help
After a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will respond with the needed keys to decipher all your files. Kaspersky estimated that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the mission-critical parts of your Information Technology environment. Without access to essential information backups, this requires a wide complement of skills, professional team management, and the capability to work continuously until the recovery project is done.

For two decades, Progent has provided professional IT services for businesses in Augusta-Richmond County and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience affords Progent the ability to knowledgably understand necessary systems and consolidate the surviving parts of your IT environment following a ransomware attack and configure them into a functioning network.

Progent's security team uses best of breed project management systems to orchestrate the complicated recovery process. Progent understands the importance of acting swiftly and in unison with a customerís management and IT resources to prioritize tasks and to get essential applications back on-line as fast as possible.

Client Story: A Successful Ransomware Virus Response
A small business hired Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, suspected of using strategies exposed from Americaís National Security Agency. Ryuk goes after specific businesses with limited room for operational disruption and is one of the most profitable incarnations of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has around 500 workers. The Ryuk attack had brought down all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most fearful period of (our) companyís life. We most likely would have paid the cybercriminals if not for the confidence the Progent experts afforded us. That you could get our e-mail and essential servers back into operation faster than five days was something I thought impossible. Every single expert I spoke to or texted at Progent was totally committed on getting us back online and was working at all hours on our behalf."

Progent worked hand in hand the customer to rapidly understand and assign priority to the most important elements that needed to be addressed in order to restart business functions:

  • Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus penetration response industry best practices by isolating and disinfecting systems. Progent then began the work of rebuilding Windows Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the customerís financials and MRP applications used Microsoft SQL, which needs Windows AD for security authorization to the data.

In less than 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then completed setup and storage recovery of needed systems. All Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on staff desktop computers and laptops in order to recover email information. A recent off-line backup of the businesses accounting/ERP systems made them able to recover these vital services back servicing users. Although a lot of work remained to recover totally from the Ryuk attack, essential services were recovered rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."

Throughout the following couple of weeks important milestones in the recovery process were achieved through tight collaboration between Progent engineers and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Exchange Server containing more than 4 million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were completely restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the desktop computers were fully operational.

"Much of what transpired that first week is nearly entirely a haze for me, but my team will not soon forget the care each and every one of your team put in to give us our company back. I have been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered. This time was no exception but maybe more Herculean."

Conclusion
A possible company-ending disaster was evaded by dedicated professionals, a broad range of IT skills, and tight collaboration. Although upon completion of forensics the ransomware penetration described here could have been disabled with current security solutions and security best practices, user and IT administrator education, and appropriate security procedures for data backup and proper patching controls, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for letting me get rested after we got over the initial push. Everyone did an fabulous job, and if anyone that helped is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Augusta-Richmond County a variety of remote monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including protection, detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP environment that meets your company's specific needs and that allows you demonstrate compliance with government and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist you to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable end-to-end solution for secure backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates and monitors your backup processes and allows fast recovery of vital files, applications and virtual machines that have become unavailable or damaged due to component failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can provide world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security companies to deliver centralized control and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that require critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system running at peak levels by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT staff and your Progent consultant so any looming issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can save up to half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
For Augusta-Richmond County 24x7x365 Crypto-Ransomware Repair Help, reach out to Progent at 800-993-9400 or go to Contact Progent.