Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an existential threat for businesses vulnerable to an attack. Multiple generations of ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to cause destruction. Recent strains of ransomware like Ryuk and Hermes, along with more unnamed viruses, not only encrypt on-line files but also infect all available system restores and backups. Information synchronized to the cloud can also be rendered useless. In a vulnerable data protection solution, this can render automated recovery impossible and effectively sets the network back to zero.

Retrieving programs and data following a crypto-ransomware intrusion becomes a race against time as the targeted organization tries its best to contain and clear the virus and to resume enterprise-critical activity. Since crypto-ransomware needs time to replicate, attacks are usually sprung on weekends and holidays, when successful attacks typically take longer to uncover. This compounds the difficulty of rapidly marshalling and coordinating an experienced mitigation team.

Progent has a range of services for securing enterprises from ransomware penetrations. Among these are user education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with machine learning technology to automatically discover and disable zero-day cyber attacks. Progent in addition provides the assistance of veteran ransomware recovery professionals with the track record and perseverance to re-deploy a breached network as urgently as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will return the needed codes to decrypt all your information. Kaspersky estimated that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the key elements of your Information Technology environment. Without the availability of full information backups, this requires a wide range of skill sets, well-coordinated project management, and the capability to work non-stop until the job is over.

For decades, Progent has offered professional Information Technology services for businesses in Jersey City and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of expertise affords Progent the skills to knowledgably identify critical systems and consolidate the remaining parts of your Information Technology system following a ransomware penetration and rebuild them into an operational network.

Progent's security team of experts deploys best of breed project management systems to coordinate the complicated recovery process. Progent appreciates the urgency of working quickly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put critical systems back online as soon as possible.

Customer Case Study: A Successful Ransomware Attack Response
A customer sought out Progent after their network was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean government sponsored hackers, possibly adopting technology exposed from the United States NSA organization. Ryuk targets specific companies with little or no tolerance for operational disruption and is one of the most lucrative incarnations of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end utilized Progent.


"I canít speak enough about the expertise Progent provided us throughout the most fearful time of (our) businesses life. We may have had to pay the cybercriminals if not for the confidence the Progent team gave us. That you could get our e-mail system and important servers back faster than a week was beyond my wildest dreams. Every single consultant I interacted with or communicated with at Progent was hell bent on getting our system up and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly assess and assign priority to the key elements that needed to be addressed to make it possible to continue business functions:

  • Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then started the process of recovering Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL, which requires Active Directory services for authentication to the databases.

Within two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then assisted with rebuilding and storage recovery on critical systems. All Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Offline Data Files) on user workstations in order to recover mail data. A recent offline backup of the client's accounting/ERP systems made them able to recover these essential applications back online for users. Although major work remained to recover completely from the Ryuk virus, the most important services were recovered quickly:


"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer shipments."

Over the following few weeks critical milestones in the restoration process were accomplished through tight cooperation between Progent consultants and the client:

  • In-house web applications were brought back up with no loss of data.
  • The MailStore Exchange Server exceeding four million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were 100 percent restored.
  • A new Palo Alto 850 security appliance was set up.
  • Ninety percent of the user PCs were fully operational.

"A huge amount of what occurred in the initial days is mostly a blur for me, but we will not soon forget the care all of your team accomplished to help get our business back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered. This situation was a stunning achievement."

Conclusion
A possible business disaster was avoided with top-tier experts, a broad range of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration described here would have been disabled with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well thought out incident response procedures for data protection and applying software patches, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has substantial experience in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), Iím grateful for making it so I could get rested after we made it over the initial fire. Everyone did an amazing job, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Jersey City a range of online monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services utilize modern artificial intelligence technology to uncover new variants of ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the complete malware attack progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your organization's unique needs and that helps you demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent's consultants can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates and monitors your backup activities and allows rapid restoration of critical files, applications and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security vendors to provide centralized control and comprehensive protection for your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of inspection for incoming email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and debug their connectivity appliances like routers, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are kept current, copies and displays the configuration of almost all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating complex management and troubleshooting processes, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating appliances that need critical updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so any looming problems can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect information related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can save up to 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7x365 Jersey City CryptoLocker Repair Experts, call Progent at 800-993-9400 or go to Contact Progent.