Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses poorly prepared for an assault. Versions of crypto-ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as more unnamed malware, not only encrypt on-line information but also infect any available system backups. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly architected system, it can make automatic recovery hopeless and effectively sets the entire system back to square one.

Restoring programs and information following a crypto-ransomware event becomes a race against time as the targeted organization struggles to stop lateral movement and remove the ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are usually launched during weekends and nights, when successful attacks typically take more time to notice. This multiplies the difficulty of rapidly marshalling and organizing an experienced response team.

Progent has an assortment of solutions for protecting businesses from ransomware penetrations. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security gateways with AI technology to quickly identify and disable zero-day cyber attacks. Progent also provides the assistance of veteran ransomware recovery professionals with the talent and perseverance to reconstruct a compromised system as soon as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will provide the needed codes to decrypt all your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the essential elements of your Information Technology environment. Without the availability of essential system backups, this calls for a wide complement of skills, professional team management, and the capability to work non-stop until the job is over.

For two decades, Progent has made available expert Information Technology services for businesses in Cambridge and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise affords Progent the ability to quickly determine critical systems and consolidate the surviving components of your network system following a crypto-ransomware attack and rebuild them into an operational network.

Progent's recovery group deploys best of breed project management applications to orchestrate the complex restoration process. Progent appreciates the importance of working quickly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to get key applications back on line as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A client hired Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, possibly adopting technology leaked from the United States National Security Agency. Ryuk targets specific organizations with little room for operational disruption and is among the most lucrative versions of ransomware malware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with about 500 workers. The Ryuk event had brought down all essential operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the attack and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but ultimately called Progent.


"I canít tell you enough in regards to the support Progent provided us during the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and critical applications back on-line in less than seven days was earth shattering. Every single expert I talked with or e-mailed at Progent was urgently focused on getting us working again and was working day and night on our behalf."

Progent worked with the customer to quickly assess and prioritize the critical services that needed to be addressed in order to resume business functions:

  • Active Directory
  • Email
  • Accounting/MRP
To start, Progent followed ransomware penetration response best practices by halting lateral movement and performing virus removal steps. Progent then started the steps of rebuilding Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not function without AD, and the customerís accounting and MRP software leveraged Microsoft SQL, which depends on Windows AD for access to the databases.

Within 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery of needed systems. All Exchange data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Off-Line Data Files) on team desktop computers in order to recover email data. A not too old off-line backup of the client's financials/MRP software made it possible to restore these required services back online for users. Although major work was left to recover completely from the Ryuk damage, the most important systems were recovered quickly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer sales."

During the following few weeks critical milestones in the restoration process were made through tight cooperation between Progent team members and the client:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • 90% of the desktops and laptops were back into operation.

"So much of what was accomplished those first few days is mostly a fog for me, but I will not forget the dedication all of the team put in to help get our business back. I have been working together with Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A potential business extinction catastrophe was averted by top-tier experts, a wide range of IT skills, and tight teamwork. Although in post mortem the ransomware attack described here could have been identified and prevented with up-to-date security technology solutions and security best practices, team education, and well designed incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for allowing me to get rested after we made it through the first week. Everyone did an impressive job, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Cambridge a variety of online monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services incorporate modern artificial intelligence technology to uncover new variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-matching AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge technologies incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also help your company to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates and monitors your backup processes and enables fast restoration of critical data, apps and virtual machines that have become unavailable or damaged due to component failures, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can deliver advanced expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver web-based control and world-class security for all your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, enhance and troubleshoot their networking appliances like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, finding devices that need important software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management personnel and your assigned Progent consultant so any potential issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24-7 Cambridge Crypto-Ransomware Repair Consulting, call Progent at 800-462-8800 or go to Contact Progent.