Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict havoc. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with daily as yet unnamed newcomers, not only encrypt on-line critical data but also infect most available system protection mechanisms. Information synchronized to cloud environments can also be rendered useless. In a poorly designed environment, this can render any recovery impossible and basically knocks the entire system back to square one.

Restoring services and information following a crypto-ransomware event becomes a sprint against the clock as the targeted organization struggles to stop the spread and remove the ransomware and to restore mission-critical activity. Since ransomware requires time to spread, attacks are usually sprung on weekends, when attacks are likely to take more time to discover. This multiplies the difficulty of promptly assembling and orchestrating an experienced response team.

Progent provides a variety of services for securing businesses from ransomware events. Among these are user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence capabilities to quickly discover and extinguish new threats. Progent also can provide the services of seasoned ransomware recovery professionals with the skills and commitment to reconstruct a compromised system as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed keys to decipher any of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the critical elements of your IT environment. Without access to essential system backups, this calls for a broad range of IT skills, well-coordinated team management, and the willingness to work non-stop until the task is completed.

For decades, Progent has made available certified expert IT services for businesses in Midtown Manhattan and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of experience affords Progent the capability to knowledgably ascertain critical systems and organize the surviving pieces of your Information Technology system following a ransomware event and assemble them into a functioning system.

Progent's security team utilizes top notch project management applications to orchestrate the complex recovery process. Progent understands the importance of working swiftly and in concert with a customerís management and IT resources to assign priority to tasks and to put critical services back on line as fast as possible.

Client Story: A Successful Ransomware Attack Response
A customer sought out Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored hackers, possibly using technology exposed from the U.S. NSA organization. Ryuk seeks specific companies with little tolerance for disruption and is among the most lucrative versions of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the attack and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but in the end engaged Progent.


"I canít thank you enough about the care Progent provided us during the most fearful period of (our) companyís survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. That you could get our e-mail system and critical applications back into operation quicker than seven days was incredible. Every single staff member I worked with or e-mailed at Progent was totally committed on getting my company operational and was working at all hours to bail us out."

Progent worked hand in hand the client to rapidly understand and assign priority to the essential areas that had to be recovered in order to resume company operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes event response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the work of rebuilding Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not function without AD, and the businessesí accounting and MRP applications used Microsoft SQL, which needs Active Directory for security authorization to the database.

In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then helped perform setup and storage recovery on mission critical applications. All Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Off-Line Data Files) on team desktop computers and laptops to recover mail data. A not too old off-line backup of the client's financials/ERP software made them able to recover these vital programs back online. Although a large amount of work still had to be done to recover fully from the Ryuk virus, critical services were restored quickly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer deliverables."

During the following month key milestones in the restoration project were made through tight collaboration between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over four million archived messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100 percent restored.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the desktops and laptops were operational.

"So much of what went on in the initial days is mostly a blur for me, but my team will not forget the urgency each of you accomplished to help get our company back. I have been working with Progent for at least 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A potential enterprise-killing disaster was dodged by top-tier professionals, a broad range of technical expertise, and tight collaboration. Although in post mortem the ransomware virus attack described here would have been identified and prevented with modern security technology solutions and ISO/IEC 27001 best practices, user education, and well designed incident response procedures for information backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has extensive experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), Iím grateful for letting me get some sleep after we made it over the initial push. All of you did an impressive job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Midtown Manhattan a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation AI technology to detect new strains of crypto-ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed service for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid restoration of vital files, apps and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can assist you to recover your critical data. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to deliver centralized management and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, optimize and debug their networking appliances like switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept current, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating tedious network management processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding appliances that require critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that any potential issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save up to half of time spent searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 Midtown Manhattan Ransomware Remediation Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.