Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still cause harm. Modern versions of ransomware like Ryuk and Hermes, as well as daily unnamed viruses, not only encrypt online data but also infect all configured system backups. Files replicated to cloud environments can also be corrupted. In a poorly designed data protection solution, it can render automated recovery useless and basically knocks the entire system back to zero.

Getting back online applications and information following a crypto-ransomware attack becomes a sprint against time as the targeted business tries its best to contain and remove the virus and to restore mission-critical operations. Due to the fact that ransomware requires time to spread, attacks are frequently sprung on weekends, when successful penetrations are likely to take longer to identify. This multiplies the difficulty of quickly assembling and coordinating a capable mitigation team.

Progent has a variety of help services for securing enterprises from ransomware attacks. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with artificial intelligence capabilities to intelligently detect and suppress day-zero threats. Progent in addition can provide the services of experienced ransomware recovery consultants with the track record and commitment to re-deploy a compromised system as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the needed keys to decipher any of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the critical elements of your IT environment. Without access to essential data backups, this calls for a broad range of IT skills, professional project management, and the ability to work non-stop until the task is finished.

For decades, Progent has offered certified expert Information Technology services for companies in Portland and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise provides Progent the capability to efficiently understand important systems and consolidate the surviving parts of your Information Technology environment following a crypto-ransomware attack and configure them into a functioning network.

Progent's ransomware team uses best of breed project management systems to coordinate the complicated recovery process. Progent appreciates the urgency of working quickly and in unison with a customerís management and IT staff to assign priority to tasks and to put the most important services back on line as soon as possible.

Client Case Study: A Successful Ransomware Virus Restoration
A small business contacted Progent after their company was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, suspected of adopting algorithms exposed from Americaís NSA organization. Ryuk attacks specific companies with little tolerance for operational disruption and is one of the most profitable iterations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has about 500 employees. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the start of the intrusion and were damaged. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately utilized Progent.


"I cannot thank you enough about the expertise Progent provided us during the most critical time of (our) companyís survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. The fact that you could get our e-mail system and critical servers back online in less than a week was amazing. Every single person I interacted with or e-mailed at Progent was amazingly focused on getting us restored and was working day and night on our behalf."

Progent worked hand in hand the customer to rapidly get our arms around and prioritize the mission critical services that had to be recovered to make it possible to continue company functions:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then began the task of restoring Windows Active Directory, the core of enterprise networks built upon Microsoft technology. Exchange email will not work without AD, and the customerís accounting and MRP software leveraged SQL Server, which requires Active Directory services for authentication to the data.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then performed rebuilding and storage recovery of the most important servers. All Microsoft Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Offline Folder Files) on team desktop computers to recover mail data. A recent off-line backup of the customerís manufacturing systems made them able to restore these vital programs back online for users. Although significant work still had to be done to recover totally from the Ryuk damage, core services were restored rapidly:


"For the most part, the production line operation showed little impact and we made all customer shipments."

Throughout the following couple of weeks key milestones in the restoration project were accomplished in tight collaboration between Progent consultants and the customer:

  • Internal web applications were restored without losing any information.
  • The MailStore Exchange Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the user PCs were functioning as before the incident.

"So much of what occurred in the early hours is nearly entirely a fog for me, but my management will not soon forget the care each and every one of the team accomplished to help get our company back. I have been working together with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A potential enterprise-killing disaster was avoided by top-tier experts, a broad array of technical expertise, and close teamwork. Although in post mortem the ransomware attack described here could have been shut down with up-to-date security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out incident response procedures for backup and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get some sleep after we made it through the initial push. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Portland a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to uncover zero-day variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to automate the entire threat lifecycle including filtering, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP environment that addresses your company's unique needs and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help you to install and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates your backup processes and allows fast recovery of vital files, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class support to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to deliver web-based control and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and generates notices when issues are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding appliances that need critical updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT staff and your Progent engineering consultant so any looming issues can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about ProSight IT Asset Management service.
For Portland 24/7/365 CryptoLocker Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.