Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that presents an extinction-level danger for businesses vulnerable to an assault. Versions of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. Modern strains of ransomware such as Ryuk and Hermes, as well as daily unnamed malware, not only do encryption of on-line data but also infiltrate many accessible system backups. Data replicated to the cloud can also be encrypted. In a poorly designed system, this can render automated restore operations useless and effectively knocks the datacenter back to zero.

Retrieving programs and data following a ransomware intrusion becomes a race against the clock as the targeted business struggles to contain and clear the crypto-ransomware and to restore business-critical activity. Because crypto-ransomware requires time to move laterally, assaults are often launched on weekends and holidays, when penetrations may take more time to notice. This compounds the difficulty of quickly marshalling and coordinating an experienced mitigation team.

Progent offers a range of help services for securing organizations from ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence technology to intelligently identify and disable zero-day threats. Progent also can provide the assistance of experienced crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that cyber hackers will provide the codes to decipher any of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the critical elements of your Information Technology environment. Without access to complete data backups, this requires a broad complement of IT skills, professional team management, and the capability to work 24x7 until the task is done.

For two decades, Progent has offered certified expert IT services for companies in Spartanburg and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience gives Progent the capability to efficiently determine critical systems and re-organize the remaining pieces of your computer network environment after a crypto-ransomware penetration and assemble them into an operational network.

Progent's recovery group utilizes powerful project management tools to orchestrate the sophisticated recovery process. Progent knows the importance of acting swiftly and in unison with a client's management and IT team members to assign priority to tasks and to put essential systems back online as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Restoration
A small business hired Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored hackers, possibly adopting techniques leaked from Americaís NSA organization. Ryuk seeks specific companies with little ability to sustain disruption and is among the most profitable instances of ransomware viruses. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately utilized Progent.


"I cannot tell you enough in regards to the expertise Progent gave us throughout the most fearful time of (our) companyís existence. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent experts provided us. The fact that you could get our e-mail and essential servers back online in less than 1 week was something I thought impossible. Every single person I interacted with or communicated with at Progent was hell bent on getting us operational and was working 24 by 7 to bail us out."

Progent worked together with the customer to quickly determine and assign priority to the mission critical elements that needed to be addressed to make it possible to continue departmental functions:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware penetration mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then began the steps of rebuilding Windows Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without AD, and the client's financials and MRP software leveraged SQL Server, which requires Active Directory services for authentication to the data.

In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery of needed servers. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Data Files) on various PCs and laptops in order to recover email information. A recent off-line backup of the businesses accounting systems made it possible to return these required programs back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, core services were recovered rapidly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer sales."

Throughout the following few weeks important milestones in the restoration project were accomplished in tight collaboration between Progent team members and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than four million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Ninety percent of the user PCs were back into operation.

"So much of what was accomplished that first week is nearly entirely a blur for me, but we will not forget the care all of you put in to help get our company back. I have utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business-ending catastrophe was avoided due to hard-working professionals, a broad array of technical expertise, and tight collaboration. Although in hindsight the ransomware virus penetration detailed here would have been blocked with advanced security technology solutions and recognized best practices, team education, and well designed security procedures for information protection and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for allowing me to get rested after we got through the most critical parts. Everyone did an incredible effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Spartanburg a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning capability to uncover new variants of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-based AV products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to address the complete threat lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single control. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP environment that meets your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of vital data, applications and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide world-class expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPPA, FIRPA, and PCI and, when necessary, can help you to recover your critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to provide web-based control and comprehensive security for your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further level of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, track, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that need important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your network running efficiently by checking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so all looming issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7 Spartanburg Ransomware Repair Help, contact Progent at 800-993-9400 or go to Contact Progent.