Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that presents an existential danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict havoc. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus daily as yet unnamed viruses, not only encrypt on-line data files but also infiltrate any configured system backup. Information synchronized to cloud environments can also be corrupted. In a vulnerable environment, this can make any restoration impossible and effectively sets the entire system back to zero.

Recovering applications and data after a crypto-ransomware attack becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware requires time to spread, assaults are usually sprung during weekends and nights, when successful attacks typically take longer to uncover. This compounds the difficulty of quickly marshalling and coordinating a qualified response team.

Progent makes available a range of solutions for protecting enterprises from ransomware attacks. These include team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with artificial intelligence technology to quickly detect and extinguish zero-day cyber attacks. Progent in addition offers the assistance of veteran ransomware recovery consultants with the talent and commitment to re-deploy a breached system as rapidly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber criminals will provide the codes to decipher any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the key parts of your Information Technology environment. Without the availability of essential data backups, this calls for a broad complement of skill sets, top notch team management, and the ability to work continuously until the recovery project is done.

For decades, Progent has made available expert Information Technology services for companies in Spartanburg and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise affords Progent the capability to quickly determine critical systems and organize the remaining components of your computer network system following a crypto-ransomware event and configure them into a functioning system.

Progent's ransomware team deploys powerful project management applications to orchestrate the complex restoration process. Progent knows the urgency of acting rapidly and in unison with a customerís management and IT resources to prioritize tasks and to get key services back on-line as fast as possible.

Case Study: A Successful Ransomware Intrusion Response
A customer engaged Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state sponsored criminal gangs, possibly adopting strategies leaked from Americaís National Security Agency. Ryuk attacks specific businesses with little or no tolerance for disruption and is among the most profitable instances of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had disabled all company operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were encrypted. The client considered paying the ransom demand (in excess of $200K) and praying for good luck, but ultimately reached out to Progent.


"I cannot speak enough about the help Progent gave us during the most critical time of (our) companyís life. We most likely would have paid the criminal gangs except for the confidence the Progent experts provided us. That you could get our e-mail and key applications back into operation faster than seven days was earth shattering. Each consultant I talked with or communicated with at Progent was absolutely committed on getting us back online and was working all day and night on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the critical systems that had to be recovered to make it possible to resume business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes incident response best practices by stopping lateral movement and performing virus removal steps. Progent then began the work of bringing back online Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís MRP software utilized Microsoft SQL Server, which requires Active Directory services for security authorization to the data.

Within two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery of needed servers. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Off-Line Data Files) on staff PCs in order to recover mail messages. A not too old offline backup of the customerís manufacturing systems made them able to recover these vital applications back online. Although significant work needed to be completed to recover completely from the Ryuk event, the most important systems were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer shipments."

Throughout the following couple of weeks key milestones in the restoration process were accomplished through tight cooperation between Progent engineers and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory functions were 100% operational.
  • A new Palo Alto 850 firewall was set up.
  • Most of the desktops and laptops were fully operational.

"A lot of what happened in the initial days is nearly entirely a fog for me, but I will not forget the countless hours each of your team accomplished to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This time was a life saver."

Conclusion
A possible enterprise-killing disaster was averted with hard-working professionals, a broad array of IT skills, and tight collaboration. Although upon completion of forensics the ransomware penetration described here should have been shut down with modern security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well designed security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get some sleep after we made it over the initial push. Everyone did an incredible effort, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Spartanburg a variety of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of crypto-ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's specific needs and that helps you prove compliance with legal and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent's consultants can also assist you to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a low monthly rate, ProSight DPS automates your backup processes and allows fast restoration of vital files, applications and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight DPS to to comply with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security companies to provide centralized management and comprehensive security for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating tedious management activities, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating devices that require important updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Spartanburg 24x7x365 Crypto Cleanup Help, contact Progent at 800-993-9400 or go to Contact Progent.