Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses vulnerable to an attack. Versions of ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still cause damage. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more as yet unnamed malware, not only encrypt online files but also infect any configured system protection mechanisms. Data replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can make automated recovery impossible and effectively sets the datacenter back to square one.

Recovering programs and information following a ransomware intrusion becomes a race against time as the targeted organization struggles to contain the damage and clear the ransomware and to resume mission-critical activity. Because ransomware needs time to replicate, attacks are usually sprung during nights and weekends, when penetrations in many cases take more time to discover. This compounds the difficulty of promptly marshalling and orchestrating a capable response team.

Progent has a range of help services for protecting enterprises from ransomware penetrations. These include team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with machine learning technology to quickly detect and suppress day-zero cyber threats. Progent also can provide the services of seasoned ransomware recovery professionals with the track record and commitment to rebuild a breached environment as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the keys to decrypt any of your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the mission-critical components of your IT environment. Without the availability of full system backups, this requires a broad range of skills, well-coordinated project management, and the capability to work continuously until the job is over.

For twenty years, Progent has offered professional Information Technology services for businesses in Reston and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience affords Progent the skills to quickly understand critical systems and integrate the remaining pieces of your network system after a crypto-ransomware event and configure them into a functioning system.

Progent's security team utilizes best of breed project management tools to coordinate the complex recovery process. Progent knows the importance of acting swiftly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get key applications back on-line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A small business sought out Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state sponsored hackers, suspected of using strategies exposed from Americaís National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is among the most profitable instances of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago and has about 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were damaged. The client considered paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot speak enough in regards to the help Progent provided us throughout the most fearful period of (our) companyís survival. We may have had to pay the Hackers if it wasnít for the confidence the Progent experts provided us. That you could get our messaging and important servers back online faster than 1 week was incredible. Every single person I spoke to or e-mailed at Progent was amazingly focused on getting us working again and was working all day and night on our behalf."

Progent worked together with the customer to quickly identify and assign priority to the essential elements that needed to be restored in order to resume departmental functions:

  • Active Directory (AD)
  • Email
  • MRP System
To start, Progent adhered to AV/Malware Processes incident response industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the task of bringing back online Microsoft AD, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange email will not work without AD, and the client's financials and MRP applications utilized Microsoft SQL Server, which depends on Active Directory services for authentication to the information.

In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then performed setup and storage recovery of needed servers. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Folder Files) on team PCs and laptops in order to recover mail data. A not too old offline backup of the client's financials/ERP software made them able to return these vital programs back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, essential services were restored quickly:


"For the most part, the production operation showed little impact and we delivered all customer shipments."

Throughout the next few weeks important milestones in the restoration process were accomplished in tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Exchange Server with over four million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user desktops and notebooks were being used by staff.

"So much of what went on in the early hours is nearly entirely a fog for me, but my management will not soon forget the countless hours each of the team accomplished to help get our business back. Iíve entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A likely business-ending disaster was dodged through the efforts of top-tier experts, a broad range of subject matter expertise, and tight teamwork. Although in post mortem the ransomware virus incident detailed here should have been blocked with modern cyber security systems and best practices, staff education, and appropriate security procedures for information backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), thank you for making it so I could get some sleep after we got past the first week. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Reston a variety of online monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect new strains of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to manage the complete threat lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you prove compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate action. Progent can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates and monitors your backup activities and allows rapid restoration of critical files, applications and virtual machines that have become unavailable or damaged as a result of component failures, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can provide world-class support to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, and PCI and, whenever needed, can help you to restore your critical data. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security vendors to deliver centralized management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, optimize and troubleshoot their networking appliances like routers, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and sends notices when issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that require important updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system running efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so all potential problems can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For Reston 24/7 Crypto-Ransomware Recovery Help, call Progent at 800-993-9400 or go to Contact Progent.