Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses vulnerable to an attack. Different iterations of ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict destruction. Recent strains of ransomware such as Ryuk and Hermes, along with more unnamed newcomers, not only encrypt on-line critical data but also infiltrate most accessible system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can make any restoration impossible and basically sets the datacenter back to zero.

Getting back programs and data following a ransomware event becomes a sprint against time as the victim tries its best to contain and remove the crypto-ransomware and to resume mission-critical activity. Since crypto-ransomware requires time to move laterally, attacks are usually sprung on weekends, when attacks are likely to take longer to recognize. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent offers a variety of support services for protecting enterprises from crypto-ransomware attacks. Among these are team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with AI technology to intelligently detect and suppress zero-day cyber threats. Progent in addition can provide the assistance of experienced ransomware recovery professionals with the skills and commitment to reconstruct a breached network as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed keys to unencrypt all your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Absent access to essential information backups, this requires a wide range of IT skills, top notch team management, and the willingness to work non-stop until the task is complete.

For twenty years, Progent has provided expert IT services for companies in Saddle Brook and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise gives Progent the skills to efficiently identify important systems and integrate the remaining parts of your network system after a ransomware penetration and assemble them into a functioning network.

Progent's recovery group deploys best of breed project management tools to coordinate the complicated recovery process. Progent knows the importance of acting quickly and in unison with a customerís management and IT staff to assign priority to tasks and to get key applications back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Intrusion Restoration
A business hired Progent after their company was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, possibly using algorithms exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little tolerance for operational disruption and is one of the most lucrative examples of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of $200K) and hoping for the best, but ultimately brought in Progent.


"I canít thank you enough about the expertise Progent provided us during the most stressful time of (our) companyís survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and critical applications back into operation faster than a week was beyond my wildest dreams. Every single consultant I got help from or texted at Progent was totally committed on getting our company operational and was working day and night to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the critical services that needed to be recovered to make it possible to resume company functions:

  • Windows Active Directory
  • E-Mail
  • MRP System
To get going, Progent adhered to ransomware penetration mitigation best practices by stopping the spread and clearing up compromised systems. Progent then began the task of restoring Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí accounting and MRP system utilized Microsoft SQL Server, which depends on Windows AD for authentication to the information.

Within 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then charged ahead with reinstallations and hard drive recovery of needed systems. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Data Files) on team PCs and laptops in order to recover mail information. A recent off-line backup of the customerís financials/MRP software made it possible to return these required services back on-line. Although major work remained to recover completely from the Ryuk virus, essential services were returned to operations rapidly:


"For the most part, the assembly line operation was never shut down and we did not miss any customer orders."

Throughout the next month critical milestones in the recovery process were completed through tight cooperation between Progent team members and the client:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Exchange Server with over four million historical messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were 100 percent restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Nearly all of the desktop computers were fully operational.

"So much of what happened in the initial days is nearly entirely a blur for me, but my team will not forget the urgency each and every one of the team accomplished to give us our business back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely enterprise-killing catastrophe was avoided through the efforts of top-tier professionals, a broad range of technical expertise, and tight teamwork. Although in post mortem the crypto-ransomware penetration detailed here would have been identified and stopped with modern cyber security solutions and best practices, team training, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thanks very much for allowing me to get some sleep after we got past the initial fire. All of you did an incredible job, and if any of your team is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Saddle Brook a variety of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence technology to uncover zero-day strains of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to automate the complete threat progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent attention. Progent's consultants can also help you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of critical files, applications and VMs that have become lost or damaged due to hardware failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to provide web-based management and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper level of inspection for incoming email. For outbound email, the local security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map, track, enhance and troubleshoot their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are always current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management staff and your Progent consultant so any looming issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7/365 Saddle Brook Crypto Repair Consulting, call Progent at 800-993-9400 or go to Contact Progent.