Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an existential threat for businesses vulnerable to an attack. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus additional unnamed malware, not only encrypt online files but also infect most configured system protection mechanisms. Files synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, it can render automatic restore operations useless and basically sets the network back to zero.

Recovering applications and data after a ransomware intrusion becomes a race against time as the targeted organization tries its best to contain and eradicate the crypto-ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware needs time to replicate, attacks are usually sprung during weekends and nights, when successful penetrations may take more time to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.

Progent has a range of support services for protecting enterprises from ransomware penetrations. Among these are team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence technology to intelligently discover and quarantine zero-day cyber attacks. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to decrypt all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the key components of your Information Technology environment. Absent access to complete data backups, this requires a broad range of skills, top notch team management, and the capability to work 24x7 until the recovery project is finished.

For decades, Progent has provided certified expert Information Technology services for businesses in Brasília and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience provides Progent the capability to knowledgably understand necessary systems and re-organize the remaining pieces of your IT environment following a ransomware attack and assemble them into a functioning network.

Progent's security team has state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of working quickly and together with a customer’s management and Information Technology resources to assign priority to tasks and to put key services back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Recovery
A business sought out Progent after their network was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state cybercriminals, suspected of adopting techniques exposed from America’s NSA organization. Ryuk attacks specific companies with little tolerance for disruption and is one of the most lucrative iterations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the attack and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and praying for good luck, but in the end engaged Progent.


"I cannot tell you enough in regards to the care Progent gave us throughout the most stressful period of (our) businesses existence. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our e-mail and key applications back on-line sooner than one week was something I thought impossible. Each person I interacted with or texted at Progent was urgently focused on getting us back on-line and was working at all hours to bail us out."

Progent worked together with the customer to rapidly assess and assign priority to the essential applications that had to be restored to make it possible to resume company operations:

  • Active Directory
  • Email
  • MRP System
To start, Progent followed AV/Malware Processes incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then initiated the process of bringing back online Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the businesses’ MRP system utilized Microsoft SQL, which depends on Windows AD for access to the databases.

Within 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of essential systems. All Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Off-Line Folder Files) on user desktop computers in order to recover mail information. A not too old off-line backup of the client's accounting software made them able to return these essential programs back online for users. Although significant work still had to be done to recover completely from the Ryuk virus, critical services were returned to operations quickly:


"For the most part, the production operation never missed a beat and we did not miss any customer sales."

Over the next couple of weeks key milestones in the recovery project were achieved in close cooperation between Progent engineers and the client:

  • In-house web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Most of the user PCs were fully operational.

"So much of what happened in the initial days is nearly entirely a fog for me, but my team will not soon forget the commitment all of you put in to give us our company back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This situation was the most impressive ever."

Conclusion
A possible business-killing catastrophe was avoided due to hard-working experts, a broad array of IT skills, and close collaboration. Although in hindsight the crypto-ransomware penetration described here could have been shut down with modern cyber security solutions and security best practices, staff training, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for allowing me to get rested after we made it past the initial push. Everyone did an incredible job, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Brasília a portfolio of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence technology to detect zero-day variants of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the entire malware attack progression including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent can also help you to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end solution for secure backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates and monitors your backup activities and allows rapid restoration of critical files, apps and VMs that have become lost or damaged as a result of component failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that need critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT personnel and your Progent consultant so any potential problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you’re planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24/7 Brasília Crypto-Ransomware Repair Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.