Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that presents an extinction-level danger for organizations vulnerable to an assault. Different iterations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to cause destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with additional unnamed viruses, not only encrypt on-line data files but also infect most available system backup. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, it can make any restore operations impossible and basically sets the datacenter back to square one.

Retrieving services and data after a crypto-ransomware event becomes a sprint against the clock as the targeted business tries its best to contain and eradicate the ransomware and to restore enterprise-critical operations. Since ransomware requires time to move laterally, penetrations are usually sprung on weekends, when successful attacks in many cases take more time to identify. This compounds the difficulty of rapidly assembling and organizing a qualified response team.

Progent makes available a variety of support services for securing enterprises from crypto-ransomware attacks. These include staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with machine learning capabilities to intelligently discover and disable day-zero cyber threats. Progent also offers the services of seasoned crypto-ransomware recovery engineers with the talent and commitment to rebuild a breached system as quickly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the needed keys to unencrypt any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the mission-critical parts of your IT environment. Without access to complete information backups, this calls for a wide range of skills, top notch team management, and the willingness to work non-stop until the job is finished.

For decades, Progent has made available professional IT services for companies in Midtown Manhattan and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience provides Progent the ability to knowledgably ascertain important systems and integrate the remaining parts of your computer network system after a ransomware attack and rebuild them into a functioning system.

Progent's ransomware group has state-of-the-art project management applications to orchestrate the complex recovery process. Progent knows the importance of working swiftly and together with a customerís management and Information Technology team members to assign priority to tasks and to put critical applications back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A client hired Progent after their organization was taken over by Ryuk ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly using technology leaked from Americaís National Security Agency. Ryuk attacks specific businesses with limited ability to sustain disruption and is one of the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area with about 500 employees. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end engaged Progent.


"I cannot speak enough in regards to the support Progent provided us during the most fearful time of (our) companyís existence. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent team gave us. That you were able to get our e-mail and important servers back into operation in less than a week was earth shattering. Each expert I spoke to or e-mailed at Progent was hell bent on getting us back on-line and was working day and night to bail us out."

Progent worked together with the customer to rapidly identify and assign priority to the essential systems that had to be recovered in order to continue departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent followed ransomware event mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then began the work of bringing back online Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not function without AD, and the client's MRP applications used Microsoft SQL Server, which requires Active Directory for security authorization to the data.

In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then performed setup and hard drive recovery of key systems. All Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Offline Folder Files) on staff workstations to recover email data. A not too old off-line backup of the client's accounting systems made them able to restore these vital programs back available to users. Although significant work still had to be done to recover totally from the Ryuk damage, the most important services were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we produced all customer shipments."

Over the following couple of weeks key milestones in the restoration process were achieved through close cooperation between Progent team members and the client:

  • In-house web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were completely functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user PCs were being used by staff.

"A huge amount of what transpired that first week is mostly a haze for me, but our team will not soon forget the dedication each and every one of the team put in to help get our business back. I have been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a stunning achievement."

Conclusion
A potential business-ending catastrophe was dodged through the efforts of dedicated professionals, a wide range of IT skills, and tight teamwork. Although in retrospect the crypto-ransomware incident detailed here would have been identified and stopped with up-to-date security systems and ISO/IEC 27001 best practices, user training, and well designed security procedures for data protection and applying software patches, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get rested after we made it through the initial push. All of you did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Midtown Manhattan a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the entire threat lifecycle including blocking, detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with government and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical data, applications and VMs that have become lost or corrupted due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever needed, can help you to restore your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to provide web-based management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of analysis for inbound email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, enhance and debug their networking hardware such as routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating tedious management processes, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating appliances that need critical updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to keep your network running at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so all potential problems can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and managing your network documentation, you can save up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Midtown Manhattan 24-7 Ransomware Remediation Consulting, contact Progent at 800-462-8800 or go to Contact Progent.