Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an extinction-level danger for organizations unprepared for an attack. Different versions of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still inflict damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus frequent unnamed malware, not only do encryption of online critical data but also infect any accessible system protection mechanisms. Data replicated to cloud environments can also be corrupted. In a poorly architected data protection solution, it can make automatic restore operations impossible and effectively knocks the datacenter back to zero.

Getting back on-line programs and data after a crypto-ransomware intrusion becomes a sprint against time as the targeted business tries its best to stop the spread and remove the crypto-ransomware and to resume enterprise-critical operations. Since ransomware needs time to replicate, penetrations are frequently sprung on weekends, when attacks tend to take more time to recognize. This compounds the difficulty of promptly assembling and coordinating a knowledgeable response team.

Progent has a range of support services for protecting businesses from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with AI capabilities to automatically identify and quarantine new threats. Progent in addition can provide the assistance of expert crypto-ransomware recovery engineers with the talent and commitment to rebuild a breached system as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, sending the ransom in cryptocurrency does not ensure that distant criminals will return the keys to decipher any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the vital elements of your IT environment. Absent the availability of full information backups, this requires a wide range of IT skills, professional project management, and the willingness to work non-stop until the recovery project is completed.

For two decades, Progent has made available expert IT services for companies in Barra da Tijuca and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience provides Progent the skills to rapidly ascertain important systems and consolidate the surviving components of your network system following a ransomware attack and configure them into a functioning network.

Progent's recovery group utilizes top notch project management applications to orchestrate the sophisticated restoration process. Progent understands the importance of working rapidly and in concert with a client's management and Information Technology team members to prioritize tasks and to put key applications back on-line as fast as possible.

Client Story: A Successful Ransomware Attack Restoration
A business engaged Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean government sponsored cybercriminals, possibly using technology exposed from the U.S. NSA organization. Ryuk targets specific companies with limited room for operational disruption and is one of the most lucrative instances of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with around 500 staff members. The Ryuk penetration had shut down all business operations and manufacturing processes. The majority of the client's information backups had been online at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.


"I canít say enough in regards to the expertise Progent provided us during the most critical time of (our) businesses survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and key servers back faster than a week was beyond my wildest dreams. Each staff member I talked with or texted at Progent was totally committed on getting us back on-line and was working day and night on our behalf."

Progent worked with the customer to quickly understand and assign priority to the key services that needed to be recovered in order to resume company operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To start, Progent followed AV/Malware Processes event response industry best practices by stopping the spread and cleaning up infected systems. Progent then started the work of bringing back online Windows Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without AD, and the customerís MRP system used Microsoft SQL, which depends on Active Directory services for authentication to the data.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then charged ahead with setup and storage recovery on the most important systems. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Offline Folder Files) on various workstations to recover mail messages. A recent offline backup of the customerís accounting/ERP systems made them able to restore these required services back online. Although significant work still had to be done to recover completely from the Ryuk event, the most important systems were recovered rapidly:


"For the most part, the manufacturing operation was never shut down and we made all customer sales."

Throughout the following couple of weeks important milestones in the restoration project were completed in tight cooperation between Progent engineers and the customer:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • Nearly all of the user desktops and notebooks were operational.

"Much of what went on those first few days is mostly a fog for me, but I will not forget the countless hours each and every one of you put in to help get our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A potential business extinction disaster was evaded with top-tier experts, a broad spectrum of IT skills, and tight collaboration. Although in retrospect the ransomware virus penetration described here should have been identified and stopped with up-to-date security solutions and ISO/IEC 27001 best practices, team training, and properly executed security procedures for data protection and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for making it so I could get rested after we got past the initial push. All of you did an amazing job, and if any of your team is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Barra da Tijuca a variety of remote monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services include modern machine learning capability to uncover zero-day variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely escape traditional signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the entire malware attack progression including protection, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your company's specific requirements and that allows you prove compliance with legal and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also assist your company to install and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. For a low monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid restoration of critical files, apps and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security vendors to deliver web-based control and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of inspection for incoming email. For outbound email, the local gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, track, reconfigure and troubleshoot their connectivity hardware like switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating complex network management activities, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that require important software patches, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management personnel and your assigned Progent consultant so any looming issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Barra da Tijuca Crypto-Ransomware Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.