Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that poses an enterprise-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause damage. More recent variants of crypto-ransomware such as Ryuk and Hermes, plus frequent unnamed viruses, not only encrypt on-line files but also infect all configured system backups. Information replicated to the cloud can also be ransomed. In a poorly architected environment, it can render automated restore operations hopeless and effectively sets the network back to zero.

Getting back programs and information after a ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to stop the spread and eradicate the ransomware and to resume business-critical operations. Since ransomware needs time to spread, attacks are frequently sprung during weekends and nights, when penetrations may take more time to recognize. This multiplies the difficulty of quickly assembling and organizing a knowledgeable mitigation team.

Progent makes available a range of services for securing enterprises from ransomware attacks. Among these are staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence technology to intelligently identify and suppress day-zero threats. Progent also provides the assistance of seasoned ransomware recovery professionals with the skills and perseverance to restore a breached system as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the needed keys to decipher all your information. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the mission-critical components of your IT environment. Without the availability of full system backups, this calls for a broad range of skill sets, professional team management, and the capability to work 24x7 until the job is complete.

For two decades, Progent has offered professional IT services for companies in Allentown and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the skills to quickly determine necessary systems and organize the remaining pieces of your Information Technology system following a ransomware attack and assemble them into a functioning network.

Progent's recovery team deploys best of breed project management tools to coordinate the complex recovery process. Progent knows the urgency of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to put critical systems back on line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Response
A business engaged Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state sponsored hackers, suspected of using technology leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is among the most lucrative iterations of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's information backups had been online at the start of the intrusion and were encrypted. The client was evaluating paying the ransom (more than $200,000) and praying for good luck, but ultimately made the decision to use Progent.


"I cannot say enough about the support Progent provided us throughout the most critical time of (our) companyís survival. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent team gave us. That you could get our e-mail system and key applications back on-line faster than seven days was beyond my wildest dreams. Each person I worked with or communicated with at Progent was urgently focused on getting us working again and was working at all hours on our behalf."

Progent worked hand in hand the client to rapidly identify and assign priority to the critical elements that had to be restored in order to restart departmental operations:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To get going, Progent adhered to Anti-virus penetration response best practices by isolating and removing active viruses. Progent then started the steps of bringing back online Microsoft AD, the core of enterprise environments built on Microsoft Windows technology. Exchange messaging will not function without Windows AD, and the customerís financials and MRP software used SQL Server, which depends on Windows AD for authentication to the databases.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and storage recovery of needed servers. All Exchange data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to assemble local OST files (Outlook Offline Folder Files) on user desktop computers in order to recover mail messages. A recent off-line backup of the businesses accounting/MRP software made it possible to recover these vital applications back servicing users. Although a lot of work still had to be done to recover totally from the Ryuk attack, critical systems were restored rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer deliverables."

Throughout the next couple of weeks important milestones in the recovery project were achieved through close collaboration between Progent team members and the client:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was spun up and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control modules were 100% recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Most of the user workstations were being used by staff.

"A lot of what was accomplished those first few days is mostly a fog for me, but I will not soon forget the countless hours each and every one of the team put in to help get our company back. Iíve trusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered. This situation was a Herculean accomplishment."

Conclusion
A likely enterprise-killing catastrophe was evaded through the efforts of hard-working experts, a wide range of knowledge, and close collaboration. Although in post mortem the ransomware virus incident described here should have been stopped with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out incident response procedures for information protection and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has proven experience in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thanks very much for making it so I could get rested after we made it over the first week. Everyone did an fabulous job, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Allentown a portfolio of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize modern machine learning capability to uncover new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to automate the entire threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed service for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates your backup processes and enables rapid recovery of vital data, apps and virtual machines that have become lost or damaged as a result of component breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class support to set up ProSight DPS to to comply with regulatory requirements like HIPPA, FINRA, and PCI and, whenever needed, can assist you to recover your business-critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to deliver centralized control and world-class security for all your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map, track, optimize and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating devices that require critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system running efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT management personnel and your assigned Progent consultant so that all potential problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Allentown 24-Hour Crypto-Ransomware Repair Experts, call Progent at 800-993-9400 or go to Contact Progent.