Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses vulnerable to an attack. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause harm. Recent variants of crypto-ransomware such as Ryuk and Hermes, plus frequent as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate all accessible system backup. Data replicated to the cloud can also be rendered useless. In a poorly designed data protection solution, it can render automatic restoration hopeless and basically knocks the datacenter back to square one.

Restoring applications and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain and remove the ransomware and to resume enterprise-critical activity. Since ransomware requires time to move laterally, penetrations are usually sprung on weekends, when successful penetrations are likely to take longer to notice. This compounds the difficulty of quickly mobilizing and coordinating an experienced mitigation team.

Progent provides a range of support services for securing organizations from ransomware attacks. These include team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with AI technology to quickly detect and suppress day-zero threats. Progent also offers the services of veteran ransomware recovery consultants with the talent and commitment to rebuild a compromised system as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the keys to decrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the essential components of your Information Technology environment. Absent the availability of essential system backups, this requires a broad complement of skills, well-coordinated team management, and the capability to work 24x7 until the task is complete.

For twenty years, Progent has provided certified expert IT services for businesses in Hialeah and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the ability to rapidly determine necessary systems and consolidate the remaining pieces of your network system after a crypto-ransomware event and assemble them into a functioning network.

Progent's ransomware group has state-of-the-art project management tools to coordinate the complicated restoration process. Progent appreciates the importance of acting swiftly and together with a client's management and IT resources to assign priority to tasks and to put the most important services back online as soon as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A client escalated to Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with limited room for disruption and is among the most profitable iterations of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has about 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and praying for good luck, but in the end engaged Progent.


"I canít say enough about the expertise Progent gave us throughout the most fearful time of (our) companyís existence. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts provided us. That you could get our messaging and important applications back into operation in less than five days was something I thought impossible. Each person I got help from or communicated with at Progent was absolutely committed on getting my company operational and was working day and night to bail us out."

Progent worked hand in hand the client to rapidly assess and assign priority to the mission critical elements that had to be restored in order to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware penetration response industry best practices by halting the spread and clearing up compromised systems. Progent then initiated the work of bringing back online Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the client's financials and MRP software utilized Microsoft SQL, which needs Active Directory for security authorization to the data.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then performed reinstallations and storage recovery of critical applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Folder Files) on team PCs and laptops to recover email data. A recent off-line backup of the customerís manufacturing systems made it possible to recover these required programs back online. Although a large amount of work needed to be completed to recover completely from the Ryuk virus, the most important services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer sales."

During the following month key milestones in the recovery project were made through tight collaboration between Progent team members and the client:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Server exceeding four million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user PCs were operational.

"A lot of what was accomplished those first few days is nearly entirely a blur for me, but our team will not soon forget the urgency each and every one of your team put in to help get our business back. Iíve entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A likely business extinction catastrophe was dodged with dedicated professionals, a wide array of technical expertise, and close collaboration. Although in post mortem the ransomware virus attack detailed here could have been shut down with modern cyber security technology solutions and best practices, staff education, and appropriate security procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for making it so I could get rested after we made it past the most critical parts. Everyone did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Hialeah a range of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize next-generation AI technology to detect new strains of crypto-ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based AV tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to manage the entire threat progression including blocking, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid recovery of critical data, apps and VMs that have become unavailable or corrupted due to component failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight DPS to to comply with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to recover your critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to provide centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of analysis for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, enhance and debug their networking hardware like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding appliances that need critical software patches, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent consultant so all potential issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time wasted trying to find vital information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24/7 Hialeah CryptoLocker Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.