Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that poses an existential danger for organizations unprepared for an assault. Multiple generations of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause damage. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as daily unnamed malware, not only encrypt online data files but also infect any configured system backup. Data synched to the cloud can also be corrupted. In a vulnerable environment, this can render automated recovery useless and basically sets the network back to square one.

Getting back online applications and information following a ransomware intrusion becomes a race against the clock as the targeted business tries its best to stop lateral movement and cleanup the ransomware and to resume enterprise-critical activity. Since ransomware requires time to spread, assaults are usually launched during weekends and nights, when successful penetrations may take more time to discover. This multiplies the difficulty of rapidly assembling and orchestrating an experienced response team.

Progent has an assortment of solutions for protecting enterprises from ransomware attacks. Among these are team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence capabilities to intelligently detect and quarantine day-zero cyber attacks. Progent in addition provides the assistance of veteran ransomware recovery consultants with the skills and commitment to rebuild a breached environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to decrypt all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Without the availability of complete data backups, this calls for a broad complement of skills, top notch project management, and the capability to work non-stop until the recovery project is over.

For decades, Progent has offered expert Information Technology services for businesses in Lower Manhattan and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently ascertain critical systems and integrate the surviving pieces of your computer network system after a ransomware attack and configure them into a functioning network.

Progent's security team deploys powerful project management applications to coordinate the complicated restoration process. Progent knows the urgency of acting rapidly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to put key systems back on line as soon as possible.

Case Study: A Successful Ransomware Virus Recovery
A client engaged Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored cybercriminals, possibly using strategies leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is among the most profitable instances of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk attack had disabled all company operations and manufacturing processes. The majority of the client's backups had been on-line at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for good luck, but ultimately called Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most critical time of (our) companyís existence. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent group afforded us. That you were able to get our e-mail and essential servers back online sooner than seven days was incredible. Every single staff member I got help from or texted at Progent was hell bent on getting our company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the key elements that needed to be restored in order to restart departmental operations:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To start, Progent adhered to ransomware event mitigation best practices by stopping lateral movement and disinfecting systems. Progent then initiated the work of bringing back online Microsoft AD, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange email will not function without Active Directory, and the client's financials and MRP applications utilized Microsoft SQL Server, which requires Active Directory services for authentication to the database.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery on mission critical applications. All Microsoft Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find intact OST data files (Outlook Email Offline Folder Files) on staff PCs and laptops in order to recover email data. A not too old off-line backup of the businesses financials/MRP systems made it possible to restore these required services back available to users. Although significant work needed to be completed to recover totally from the Ryuk damage, core systems were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we made all customer deliverables."

During the following month critical milestones in the recovery process were accomplished through close cooperation between Progent team members and the customer:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were completely operational.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the desktop computers were fully operational.

"Much of what was accomplished in the initial days is mostly a haze for me, but my management will not soon forget the dedication each of the team put in to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."

Conclusion
A probable business-ending disaster was dodged with hard-working experts, a broad range of IT skills, and close collaboration. Although in retrospect the crypto-ransomware penetration detailed here should have been identified and blocked with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out security procedures for information protection and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get rested after we got over the most critical parts. Everyone did an fabulous job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Lower Manhattan a range of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day strains of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to automate the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical data, applications and VMs that have become unavailable or corrupted as a result of component failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can assist you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to provide web-based control and world-class security for your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a further level of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, track, optimize and troubleshoot their connectivity hardware like routers, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding devices that require important updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network running efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management staff and your Progent consultant so that all looming problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For Lower Manhattan 24-Hour Crypto-Ransomware Cleanup Services, reach out to Progent at 800-462-8800 or go to Contact Progent.