Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict damage. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with daily as yet unnamed malware, not only encrypt on-line information but also infiltrate all available system backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can render automated restoration hopeless and basically sets the datacenter back to zero.

Getting back online services and data after a ransomware outage becomes a race against the clock as the victim fights to stop lateral movement and clear the virus and to resume business-critical operations. Due to the fact that crypto-ransomware needs time to replicate, assaults are usually launched on weekends, when attacks are likely to take more time to detect. This multiplies the difficulty of quickly marshalling and orchestrating a knowledgeable mitigation team.

Progent offers a range of solutions for securing businesses from ransomware events. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence capabilities to automatically detect and suppress zero-day cyber threats. Progent in addition provides the services of expert ransomware recovery engineers with the talent and perseverance to re-deploy a compromised environment as soon as possible.

Progent's Ransomware Restoration Services
Following a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the codes to decrypt any or all of your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the essential parts of your Information Technology environment. Without the availability of complete information backups, this calls for a wide range of skill sets, professional project management, and the capability to work continuously until the recovery project is finished.

For twenty years, Progent has offered expert Information Technology services for businesses in Albany and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience affords Progent the ability to knowledgably determine important systems and integrate the surviving components of your Information Technology environment following a ransomware event and assemble them into a functioning network.

Progent's recovery team uses top notch project management tools to orchestrate the complex recovery process. Progent appreciates the importance of working rapidly and together with a client's management and IT resources to prioritize tasks and to put key services back online as soon as possible.

Case Study: A Successful Ransomware Penetration Restoration
A small business hired Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean state criminal gangs, possibly adopting approaches exposed from the United States National Security Agency. Ryuk targets specific companies with little ability to sustain operational disruption and is among the most profitable incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area and has around 500 employees. The Ryuk event had shut down all company operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and praying for good luck, but in the end made the decision to use Progent.


"I cannot tell you enough in regards to the support Progent provided us during the most stressful period of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent group provided us. That you could get our messaging and key applications back on-line faster than five days was beyond my wildest dreams. Each consultant I talked with or texted at Progent was urgently focused on getting us operational and was working 24/7 to bail us out."

Progent worked with the customer to rapidly identify and prioritize the most important areas that needed to be recovered to make it possible to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes event response best practices by halting lateral movement and removing active viruses. Progent then initiated the steps of rebuilding Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businessesí financials and MRP applications utilized SQL Server, which requires Windows AD for authentication to the databases.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then charged ahead with setup and storage recovery of key servers. All Exchange Server schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to locate local OST data files (Outlook Email Offline Folder Files) on staff PCs to recover email data. A not too old off-line backup of the businesses accounting/ERP software made it possible to recover these essential services back on-line. Although significant work was left to recover totally from the Ryuk virus, core systems were recovered quickly:


"For the most part, the production manufacturing operation was never shut down and we delivered all customer orders."

During the following month critical milestones in the recovery process were completed in tight cooperation between Progent consultants and the customer:

  • Internal web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • 90% of the desktops and laptops were fully operational.

"So much of what happened during the initial response is mostly a blur for me, but we will not forget the dedication each of you accomplished to help get our business back. I have entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This event was a life saver."

Conclusion
A potential business extinction catastrophe was evaded through the efforts of dedicated professionals, a wide range of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware virus incident detailed here could have been shut down with modern cyber security systems and security best practices, team training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get some sleep after we got over the first week. Everyone did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Albany a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to detect new variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the entire malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with government and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates and monitors your backup activities and allows fast restoration of vital data, apps and virtual machines that have become unavailable or damaged as a result of component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR specialists can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to provide web-based control and comprehensive security for all your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, enhance and debug their connectivity hardware like switches, firewalls, and load balancers plus servers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network running efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT staff and your assigned Progent engineering consultant so all looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can save up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Albany 24x7x365 Crypto-Ransomware Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.