Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that presents an existential danger for businesses poorly prepared for an attack. Different versions of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional as yet unnamed malware, not only do encryption of on-line data but also infect all configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, this can make automated recovery useless and effectively sets the entire system back to square one.

Restoring applications and information following a crypto-ransomware attack becomes a sprint against time as the victim fights to stop the spread and remove the virus and to restore mission-critical operations. Since ransomware needs time to spread, penetrations are usually launched at night, when successful penetrations in many cases take more time to identify. This compounds the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.

Progent has an assortment of solutions for securing businesses from ransomware attacks. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with AI technology to quickly identify and suppress day-zero cyber attacks. Progent also can provide the assistance of seasoned crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a breached network as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to unencrypt all your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the critical elements of your Information Technology environment. Without access to essential information backups, this calls for a broad complement of IT skills, professional project management, and the willingness to work non-stop until the recovery project is completed.

For decades, Progent has offered expert Information Technology services for businesses in Midtown Manhattan and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the capability to efficiently identify critical systems and re-organize the surviving parts of your computer network environment after a ransomware penetration and rebuild them into a functioning network.

Progent's security team of experts has top notch project management tools to orchestrate the complicated recovery process. Progent knows the importance of acting swiftly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to put key applications back online as soon as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Response
A customer engaged Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean government sponsored hackers, possibly using algorithms exposed from Americaís NSA organization. Ryuk goes after specific businesses with little tolerance for operational disruption and is among the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and hoping for good luck, but in the end utilized Progent.


"I canít say enough in regards to the care Progent gave us throughout the most stressful time of (our) companyís survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent group afforded us. That you were able to get our messaging and critical applications back on-line sooner than 1 week was beyond my wildest dreams. Every single staff member I worked with or texted at Progent was laser focused on getting us working again and was working breakneck pace to bail us out."

Progent worked together with the client to rapidly identify and prioritize the key services that had to be recovered in order to restart company operations:

  • Active Directory
  • E-Mail
  • MRP System
To start, Progent adhered to ransomware incident mitigation best practices by halting the spread and removing active viruses. Progent then started the process of bringing back online Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the client's accounting and MRP software utilized Microsoft SQL Server, which needs Windows AD for security authorization to the data.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed reinstallations and storage recovery of the most important servers. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Off-Line Data Files) on staff desktop computers in order to recover email data. A recent off-line backup of the businesses accounting/ERP systems made it possible to restore these vital programs back online for users. Although major work remained to recover totally from the Ryuk damage, core systems were recovered quickly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer deliverables."

During the next month critical milestones in the recovery project were completed through tight cooperation between Progent team members and the client:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the user PCs were being used by staff.

"A lot of what went on that first week is nearly entirely a haze for me, but we will not soon forget the dedication all of you accomplished to give us our company back. I have trusted Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A potential business catastrophe was dodged with dedicated professionals, a wide spectrum of knowledge, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware attack described here would have been identified and stopped with modern security technology and NIST Cybersecurity Framework best practices, staff training, and well thought out security procedures for information protection and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for allowing me to get rested after we made it over the first week. All of you did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Midtown Manhattan a portfolio of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the complete threat progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with government and industry data protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates your backup activities and enables rapid recovery of critical data, applications and VMs that have become unavailable or corrupted due to hardware failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced support to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to deliver centralized management and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of analysis for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, track, optimize and troubleshoot their networking appliances like switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex management activities, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating devices that need critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by checking the state of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so any looming problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time spent looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For Midtown Manhattan 24/7 Crypto Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.