Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an extinction-level threat for businesses poorly prepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict havoc. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with additional as yet unnamed viruses, not only encrypt on-line information but also infect most configured system protection. Files synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can make any restoration hopeless and basically sets the network back to zero.

Retrieving programs and information following a ransomware attack becomes a race against the clock as the targeted business fights to contain the damage and remove the crypto-ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to replicate, attacks are often sprung on weekends and holidays, when successful attacks in many cases take longer to uncover. This multiplies the difficulty of rapidly marshalling and organizing an experienced mitigation team.

Progent offers a variety of support services for securing businesses from crypto-ransomware attacks. These include staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security appliances with AI capabilities to quickly detect and extinguish day-zero cyber attacks. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a breached system as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware penetration, paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decrypt all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the key parts of your IT environment. Without access to complete system backups, this requires a broad complement of skills, top notch project management, and the ability to work 24x7 until the job is finished.

For decades, Progent has offered professional IT services for companies in Lower Manhattan and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience affords Progent the skills to quickly understand critical systems and re-organize the surviving components of your IT environment following a ransomware attack and assemble them into a functioning network.

Progent's recovery group has top notch project management systems to coordinate the complicated recovery process. Progent understands the urgency of working rapidly and together with a customerís management and Information Technology team members to assign priority to tasks and to get the most important systems back on line as soon as possible.

Client Story: A Successful Ransomware Attack Response
A customer hired Progent after their organization was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored criminal gangs, possibly using algorithms leaked from Americaís National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is one of the most profitable versions of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the start of the attack and were damaged. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I canít tell you enough in regards to the help Progent gave us during the most stressful period of (our) companyís life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts gave us. The fact that you could get our e-mail and critical servers back faster than seven days was amazing. Every single consultant I spoke to or messaged at Progent was laser focused on getting our company operational and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly assess and prioritize the critical services that needed to be addressed to make it possible to restart company operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident response industry best practices by halting lateral movement and removing active viruses. Progent then initiated the process of recovering Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the client's accounting and MRP applications used Microsoft SQL, which requires Windows AD for security authorization to the information.

In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery of key servers. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Offline Data Files) on staff workstations and laptops to recover email data. A recent off-line backup of the businesses accounting/ERP systems made it possible to restore these required programs back on-line. Although a large amount of work was left to recover completely from the Ryuk event, essential systems were restored quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer orders."

Throughout the following month key milestones in the recovery project were made in close cooperation between Progent consultants and the customer:

  • In-house web applications were brought back up with no loss of data.
  • The MailStore Server exceeding four million archived emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory Control modules were 100% functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the user desktops and notebooks were being used by staff.

"A lot of what transpired in the early hours is nearly entirely a fog for me, but I will not forget the dedication all of the team accomplished to give us our company back. I have been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A potential enterprise-killing catastrophe was averted with results-oriented experts, a broad spectrum of technical expertise, and tight collaboration. Although in hindsight the crypto-ransomware penetration described here could have been identified and prevented with advanced cyber security systems and ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thanks very much for letting me get some sleep after we got past the initial fire. All of you did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Lower Manhattan a range of online monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence technology to uncover new strains of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and provides a single platform to address the entire threat lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that helps you demonstrate compliance with legal and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent attention. Progent's consultants can also assist your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of vital data, applications and VMs that have become lost or damaged due to hardware failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your business-critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to deliver web-based control and comprehensive protection for all your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, locating devices that need critical software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your Progent engineering consultant so any potential issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7x365 Lower Manhattan CryptoLocker Remediation Services, call Progent at 800-993-9400 or go to Contact Progent.