Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an extinction-level threat for organizations vulnerable to an attack. Multiple generations of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict harm. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent as yet unnamed malware, not only encrypt online data but also infiltrate many accessible system backup. Information replicated to the cloud can also be corrupted. In a poorly designed data protection solution, this can make automated recovery impossible and effectively knocks the network back to zero.

Recovering applications and data after a ransomware attack becomes a race against time as the targeted organization struggles to stop lateral movement and eradicate the ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware needs time to replicate, attacks are usually sprung during weekends and nights, when attacks in many cases take longer to discover. This compounds the difficulty of quickly mobilizing and coordinating an experienced response team.

Progent has an assortment of services for securing organizations from ransomware penetrations. Among these are team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security appliances with artificial intelligence capabilities to quickly identify and extinguish new cyber attacks. Progent in addition can provide the services of experienced crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the codes to decipher all your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to setup from scratch the vital elements of your Information Technology environment. Without the availability of complete data backups, this requires a wide complement of IT skills, top notch team management, and the capability to work 24x7 until the job is finished.

For two decades, Progent has offered professional IT services for companies in Melbourne and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly understand necessary systems and organize the remaining parts of your IT system after a crypto-ransomware attack and configure them into a functioning system.

Progent's ransomware group deploys best of breed project management systems to orchestrate the sophisticated restoration process. Progent knows the urgency of acting rapidly and together with a customerís management and Information Technology team members to assign priority to tasks and to put critical systems back on line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A small business sought out Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, suspected of using techniques leaked from the United States National Security Agency. Ryuk attacks specific businesses with little or no tolerance for disruption and is among the most profitable incarnations of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago with around 500 employees. The Ryuk attack had disabled all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.


"I cannot say enough about the expertise Progent gave us throughout the most fearful period of (our) businesses life. We would have paid the criminal gangs if it wasnít for the confidence the Progent team provided us. That you could get our e-mail and essential applications back into operation faster than seven days was something I thought impossible. Each staff member I talked with or communicated with at Progent was hell bent on getting us back online and was working non-stop to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the key applications that had to be restored in order to resume business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • MRP System
To begin, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then initiated the task of recovering Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the client's MRP software utilized Microsoft SQL Server, which needs Windows AD for security authorization to the databases.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then completed setup and hard drive recovery of key servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on various desktop computers and laptops to recover mail messages. A recent offline backup of the businesses accounting/MRP systems made them able to return these essential services back online for users. Although a large amount of work remained to recover fully from the Ryuk event, core systems were restored quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer shipments."

During the next month key milestones in the recovery process were made in close collaboration between Progent team members and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory Control modules were 100% operational.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user workstations were functioning as before the incident.

"Much of what went on during the initial response is nearly entirely a fog for me, but we will not forget the urgency each and every one of the team put in to give us our company back. Iíve been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A likely business-killing catastrophe was evaded through the efforts of results-oriented experts, a wide spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware incident described here would have been shut down with current cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for data backup and applying software patches, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for allowing me to get some sleep after we got past the most critical parts. All of you did an impressive effort, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Melbourne a range of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect zero-day variants of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. ProSight ASM protects local and cloud resources and offers a unified platform to automate the entire threat lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also assist you to set up and verify a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of critical data, apps and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to provide centralized management and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, track, optimize and troubleshoot their connectivity hardware like routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious network management processes, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating appliances that need critical software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your Progent consultant so all looming problems can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For Melbourne 24-7 Crypto-Ransomware Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.