Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses of all sizes vulnerable to an attack. Different versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as additional unnamed newcomers, not only encrypt online files but also infect many accessible system backup. Files synched to cloud environments can also be rendered useless. In a vulnerable data protection solution, this can make any recovery impossible and basically sets the entire system back to square one.

Getting back programs and information after a crypto-ransomware event becomes a race against the clock as the targeted business fights to stop lateral movement and eradicate the virus and to restore business-critical operations. Since crypto-ransomware takes time to move laterally, attacks are usually sprung on weekends and holidays, when penetrations in many cases take longer to discover. This multiplies the difficulty of quickly assembling and organizing an experienced response team.

Progent offers a range of solutions for securing organizations from ransomware attacks. These include team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security gateways with machine learning technology to intelligently discover and suppress day-zero threats. Progent also can provide the assistance of experienced ransomware recovery professionals with the talent and commitment to re-deploy a breached system as soon as possible.

Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the keys to decipher any of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the mission-critical parts of your Information Technology environment. Absent the availability of full data backups, this calls for a broad range of skill sets, professional project management, and the willingness to work 24x7 until the task is completed.

For decades, Progent has provided professional IT services for businesses in Recife and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience gives Progent the capability to efficiently determine necessary systems and re-organize the surviving components of your Information Technology system following a ransomware attack and assemble them into a functioning network.

Progent's recovery team of experts deploys top notch project management tools to orchestrate the sophisticated restoration process. Progent understands the urgency of acting rapidly and in concert with a customer’s management and IT staff to prioritize tasks and to get essential services back on-line as soon as possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A customer engaged Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored criminal gangs, possibly adopting strategies exposed from the United States NSA organization. Ryuk goes after specific companies with limited tolerance for disruption and is one of the most profitable examples of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk event had disabled all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately brought in Progent.


"I can’t thank you enough about the support Progent gave us during the most fearful period of (our) company’s existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent team afforded us. The fact that you could get our e-mail and important applications back into operation in less than 1 week was amazing. Every single staff member I interacted with or communicated with at Progent was absolutely committed on getting us back on-line and was working all day and night on our behalf."

Progent worked together with the customer to rapidly understand and assign priority to the key systems that had to be addressed to make it possible to restart departmental operations:

  • Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus event response best practices by halting the spread and disinfecting systems. Progent then began the work of restoring Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without AD, and the client's financials and MRP software leveraged Microsoft SQL Server, which requires Active Directory services for access to the data.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed setup and hard drive recovery on critical applications. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate local OST files (Outlook Email Offline Folder Files) on team desktop computers and laptops in order to recover mail messages. A not too old offline backup of the customer’s financials/ERP systems made it possible to return these essential programs back online. Although a large amount of work still had to be done to recover totally from the Ryuk virus, critical services were restored rapidly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer orders."

Over the next couple of weeks critical milestones in the restoration process were made through close collaboration between Progent consultants and the client:

  • Internal web sites were restored without losing any information.
  • The MailStore Exchange Server exceeding four million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Ninety percent of the user PCs were back into operation.

"A lot of what went on during the initial response is nearly entirely a blur for me, but my team will not forget the care all of you accomplished to help get our company back. I’ve been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This time was a life saver."

Conclusion
A probable company-ending disaster was evaded with results-oriented professionals, a wide range of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here should have been stopped with advanced cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we made it over the first week. All of you did an incredible effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Recife a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to detect zero-day strains of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to address the entire malware attack progression including filtering, detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that helps you prove compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also help you to set up and verify a backup and restore system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows fast restoration of vital files, apps and virtual machines that have become lost or damaged as a result of hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's BDR specialists can deliver advanced support to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can assist you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to deliver centralized control and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of inspection for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, monitor, enhance and troubleshoot their networking appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always current, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating devices that require important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you’re making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7/365 Recife Crypto Removal Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.