Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that presents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Versions of crypto-ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause harm. Modern strains of ransomware such as Ryuk and Hermes, along with frequent as yet unnamed malware, not only do encryption of on-line data files but also infiltrate any configured system backup. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can render any recovery hopeless and effectively sets the datacenter back to square one.

Recovering services and data after a ransomware outage becomes a race against the clock as the targeted organization struggles to contain the damage and clear the crypto-ransomware and to resume enterprise-critical activity. Since ransomware requires time to move laterally, penetrations are frequently sprung at night, when penetrations may take longer to discover. This compounds the difficulty of rapidly mobilizing and coordinating a capable mitigation team.

Progent has an assortment of support services for protecting enterprises from ransomware penetrations. These include team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence capabilities to quickly detect and quarantine day-zero cyber threats. Progent also offers the services of experienced crypto-ransomware recovery consultants with the skills and commitment to re-deploy a breached environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware event, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will return the needed keys to decipher any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the essential components of your Information Technology environment. Without the availability of full information backups, this calls for a broad complement of skill sets, professional project management, and the willingness to work continuously until the task is completed.

For decades, Progent has made available expert Information Technology services for businesses in Lower Manhattan and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise gives Progent the skills to quickly determine necessary systems and integrate the remaining pieces of your Information Technology system following a crypto-ransomware event and rebuild them into an operational system.

Progent's recovery group uses state-of-the-art project management tools to orchestrate the complicated recovery process. Progent knows the urgency of working swiftly and in unison with a customerís management and IT staff to prioritize tasks and to put the most important services back on line as soon as possible.

Case Study: A Successful Ransomware Incident Restoration
A business sought out Progent after their network was crashed by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, suspected of using technology leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little or no ability to sustain disruption and is among the most profitable examples of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area and has around 500 staff members. The Ryuk attack had shut down all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I cannot thank you enough about the expertise Progent gave us during the most fearful time of (our) companyís life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and production servers back into operation quicker than one week was incredible. Each staff member I worked with or e-mailed at Progent was urgently focused on getting our system up and was working at all hours to bail us out."

Progent worked with the client to rapidly get our arms around and prioritize the most important elements that needed to be addressed to make it possible to resume business operations:

  • Microsoft Active Directory
  • E-Mail
  • MRP System
To start, Progent adhered to Anti-virus incident response best practices by isolating and clearing infected systems. Progent then began the work of rebuilding Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businessesí financials and MRP software leveraged Microsoft SQL Server, which needs Windows AD for access to the data.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then initiated rebuilding and storage recovery on needed applications. All Exchange Server schema and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Data Files) on team workstations and laptops in order to recover email data. A not too old off-line backup of the client's financials/MRP software made them able to return these required applications back available to users. Although major work was left to recover completely from the Ryuk virus, core services were restored rapidly:


"For the most part, the production operation did not miss a beat and we delivered all customer sales."

During the next few weeks important milestones in the restoration process were accomplished through tight cooperation between Progent engineers and the client:

  • Internal web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully recovered.
  • A new Palo Alto Networks 850 firewall was set up.
  • 90% of the user desktops and notebooks were back into operation.

"A lot of what happened during the initial response is nearly entirely a haze for me, but I will not forget the dedication all of your team put in to give us our business back. I have been working together with Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."

Conclusion
A probable business-killing disaster was dodged due to dedicated experts, a broad array of IT skills, and close collaboration. Although in hindsight the ransomware virus penetration detailed here could have been blocked with current cyber security systems and best practices, staff education, and well designed security procedures for information backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get some sleep after we made it past the initial push. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Lower Manhattan a range of remote monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to detect new variants of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to automate the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with legal and industry data protection regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables fast restoration of critical files, applications and virtual machines that have become unavailable or damaged due to component failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can deliver advanced support to set up ProSight DPS to to comply with regulatory standards such as HIPPA, FIRPA, and PCI and, whenever needed, can help you to restore your critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security vendors to deliver centralized control and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, enhance and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that need critical updates, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT personnel and your assigned Progent consultant so any potential problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Lower Manhattan 24/7/365 Crypto-Ransomware Remediation Help, contact Progent at 800-993-9400 or go to Contact Progent.