Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict harm. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with frequent as yet unnamed viruses, not only do encryption of online information but also infiltrate many accessible system backups. Data replicated to the cloud can also be encrypted. In a poorly designed system, it can render automatic recovery hopeless and basically knocks the datacenter back to zero.

Getting back online applications and data after a ransomware intrusion becomes a race against time as the targeted organization struggles to stop the spread and clear the virus and to resume business-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are frequently launched on weekends and holidays, when successful attacks typically take longer to identify. This multiplies the difficulty of promptly assembling and coordinating a capable mitigation team.

Progent has an assortment of support services for protecting businesses from ransomware penetrations. Among these are user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security gateways with artificial intelligence technology to quickly detect and quarantine day-zero cyber attacks. Progent also offers the services of seasoned ransomware recovery engineers with the talent and perseverance to restore a breached network as urgently as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed codes to decrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the critical elements of your IT environment. Without the availability of full data backups, this calls for a broad complement of skills, top notch project management, and the capability to work 24x7 until the task is finished.

For decades, Progent has provided certified expert IT services for companies in Jersey City and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience provides Progent the capability to rapidly determine necessary systems and re-organize the remaining pieces of your Information Technology environment following a ransomware penetration and configure them into an operational network.

Progent's security team uses state-of-the-art project management systems to orchestrate the complex recovery process. Progent understands the importance of working quickly and in concert with a client's management and IT team members to prioritize tasks and to put essential systems back online as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Response
A client hired Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, suspected of adopting technology leaked from the United States NSA organization. Ryuk attacks specific organizations with limited ability to sustain operational disruption and is one of the most lucrative versions of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago and has about 500 workers. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's backups had been online at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end engaged Progent.


"I canít say enough about the support Progent gave us throughout the most stressful time of (our) companyís survival. We had little choice but to pay the criminal gangs except for the confidence the Progent team gave us. That you could get our messaging and production applications back quicker than a week was incredible. Each expert I spoke to or texted at Progent was absolutely committed on getting us back online and was working 24 by 7 on our behalf."

Progent worked together with the client to quickly understand and prioritize the mission critical elements that needed to be restored to make it possible to continue company functions:

  • Active Directory
  • Email
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes penetration response best practices by halting the spread and cleaning systems of viruses. Progent then began the process of recovering Microsoft Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's accounting and MRP software utilized Microsoft SQL, which requires Windows AD for security authorization to the database.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then performed rebuilding and storage recovery on mission critical applications. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on staff PCs to recover mail information. A not too old off-line backup of the client's financials/ERP systems made it possible to recover these essential programs back servicing users. Although significant work needed to be completed to recover totally from the Ryuk damage, the most important systems were returned to operations rapidly:


"For the most part, the production line operation showed little impact and we produced all customer deliverables."

During the next few weeks key milestones in the restoration process were completed through tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory functions were fully recovered.
  • A new Palo Alto 850 security appliance was installed.
  • 90% of the user workstations were fully operational.

"A lot of what transpired in the early hours is nearly entirely a fog for me, but my management will not soon forget the countless hours each of the team put in to help get our company back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered. This time was no exception but maybe more Herculean."

Conclusion
A probable business catastrophe was avoided through the efforts of dedicated experts, a broad spectrum of subject matter expertise, and close collaboration. Although in hindsight the ransomware incident detailed here would have been blocked with modern security technology solutions and security best practices, user training, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), Iím grateful for allowing me to get rested after we got past the initial fire. All of you did an fabulous job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Jersey City a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include modern machine learning technology to detect zero-day strains of ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to address the complete threat lifecycle including protection, identification, mitigation, remediation, and forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup software providers to create ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and allow transparent backup and fast recovery of vital files, apps, images, and virtual machines. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural disasters, fire, malware such as ransomware, user mistakes, malicious employees, or software bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver web-based control and comprehensive security for all your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of inspection for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and access points as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network diagrams are always updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that require important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system running at peak levels by tracking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT staff and your assigned Progent engineering consultant so all looming problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to guard endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching AV products. Progent Active Security Monitoring services protect local and cloud-based resources and provides a single platform to address the entire threat progression including filtering, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Help Desk managed services enable your IT team to outsource Call Center services to Progent or split activity for Help Desk services seamlessly between your in-house support resources and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your in-house IT support team. User access to the Service Desk, delivery of support services, issue escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are cohesive whether incidents are taken care of by your internal network support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a versatile and affordable alternative for evaluating, testing, scheduling, implementing, and tracking updates to your ever-evolving IT system. Besides optimizing the security and reliability of your IT network, Progent's patch management services allow your IT staff to concentrate on more strategic projects and tasks that derive maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Google Android, and other personal devices. With 2FA, whenever you sign into a protected online account and enter your password you are requested to verify your identity on a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be utilized as this added form of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate several verification devices. To find out more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Jersey City 24x7x365 Crypto-Ransomware Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.