Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses poorly prepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for years and continue to cause havoc. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily as yet unnamed viruses, not only do encryption of on-line data but also infect most configured system protection mechanisms. Files synched to cloud environments can also be rendered useless. In a poorly architected system, this can make automated restore operations useless and basically sets the network back to zero.

Retrieving programs and data following a ransomware attack becomes a sprint against the clock as the targeted business tries its best to stop the spread and cleanup the ransomware and to resume enterprise-critical operations. Because ransomware takes time to spread, assaults are often launched on weekends, when successful attacks tend to take more time to discover. This compounds the difficulty of promptly marshalling and organizing a qualified mitigation team.

Progent makes available a variety of help services for securing enterprises from crypto-ransomware penetrations. Among these are staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with AI technology to intelligently discover and quarantine new threats. Progent also can provide the services of veteran crypto-ransomware recovery engineers with the talent and commitment to re-deploy a breached environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the keys to decrypt any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the critical components of your IT environment. Without the availability of essential information backups, this calls for a broad complement of skill sets, top notch team management, and the willingness to work non-stop until the task is over.

For two decades, Progent has provided certified expert IT services for businesses in Chandler and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise gives Progent the capability to quickly identify critical systems and organize the surviving parts of your IT environment after a ransomware penetration and assemble them into a functioning network.

Progent's ransomware team of experts deploys top notch project management systems to orchestrate the complicated restoration process. Progent knows the importance of working quickly and in unison with a client's management and Information Technology staff to prioritize tasks and to put key services back online as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Response
A client contacted Progent after their company was crashed by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting technology exposed from the United States National Security Agency. Ryuk goes after specific organizations with little tolerance for operational disruption and is one of the most lucrative examples of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago with around 500 employees. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately called Progent.


"I canít speak enough in regards to the help Progent provided us throughout the most fearful period of (our) companyís survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent team provided us. That you could get our e-mail system and important servers back in less than one week was earth shattering. Each consultant I talked with or e-mailed at Progent was urgently focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to rapidly understand and prioritize the mission critical elements that needed to be restored in order to resume business operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting/MRP
To start, Progent adhered to ransomware event mitigation industry best practices by isolating and removing active viruses. Progent then started the task of rebuilding Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's MRP system used Microsoft SQL Server, which requires Active Directory for security authorization to the data.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery of mission critical systems. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team workstations and laptops in order to recover mail information. A not too old offline backup of the businesses accounting/MRP software made it possible to restore these vital applications back online. Although a large amount of work still had to be done to recover totally from the Ryuk attack, essential systems were restored quickly:


"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer shipments."

During the following couple of weeks critical milestones in the recovery process were accomplished in tight cooperation between Progent engineers and the client:

  • Internal web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the desktop computers were back into operation.

"So much of what was accomplished in the early hours is mostly a blur for me, but my team will not soon forget the dedication each of the team accomplished to help get our business back. I have utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A potential enterprise-killing catastrophe was evaded through the efforts of dedicated experts, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the crypto-ransomware incident detailed here could have been identified and prevented with modern cyber security solutions and security best practices, staff education, and well thought out security procedures for information backup and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get rested after we made it past the initial push. All of you did an incredible effort, and if any of your team is in the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Chandler a variety of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence technology to uncover new variants of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching AV products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the entire malware attack progression including protection, detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate action. Progent's consultants can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid recovery of vital data, apps and virtual machines that have become lost or corrupted as a result of component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can deliver world-class support to configure ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security vendors to provide centralized control and world-class security for your inbound and outbound email. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, track, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and access points as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that need critical updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to help keep your network operating efficiently by checking the health of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so any looming problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Chandler CryptoLocker Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.