Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. The latest variants of ransomware like Ryuk and Hermes, plus frequent as yet unnamed newcomers, not only do encryption of on-line data but also infect all accessible system protection mechanisms. Information replicated to the cloud can also be encrypted. In a poorly designed environment, it can make any recovery impossible and effectively sets the network back to zero.

Restoring programs and information following a ransomware attack becomes a race against the clock as the victim struggles to stop the spread and cleanup the ransomware and to resume enterprise-critical operations. Because crypto-ransomware needs time to replicate, attacks are often sprung during weekends and nights, when attacks are likely to take longer to recognize. This compounds the difficulty of rapidly marshalling and organizing a knowledgeable response team.

Progent provides an assortment of help services for securing organizations from ransomware events. Among these are staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with machine learning capabilities to intelligently detect and quarantine day-zero threats. Progent in addition offers the services of veteran crypto-ransomware recovery professionals with the talent and commitment to rebuild a breached system as quickly as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not ensure that merciless criminals will provide the needed keys to decrypt any of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the vital parts of your IT environment. Without the availability of full data backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work continuously until the recovery project is done.

For two decades, Progent has provided expert IT services for businesses in Uniondale and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of experience provides Progent the skills to rapidly determine important systems and consolidate the remaining parts of your network system after a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's ransomware team deploys best of breed project management tools to orchestrate the complex recovery process. Progent appreciates the importance of acting swiftly and together with a client's management and IT staff to assign priority to tasks and to get the most important services back on line as fast as possible.

Case Study: A Successful Ransomware Attack Restoration
A client contacted Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state hackers, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little ability to sustain disruption and is one of the most profitable versions of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area and has around 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot speak enough in regards to the care Progent provided us throughout the most stressful period of (our) companyís existence. We would have paid the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our messaging and important applications back sooner than a week was incredible. Every single staff member I got help from or e-mailed at Progent was amazingly focused on getting us back online and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the essential areas that needed to be recovered in order to resume company functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • MRP System
To get going, Progent followed Anti-virus incident response best practices by stopping the spread and removing active viruses. Progent then began the steps of restoring Microsoft Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís MRP system leveraged Microsoft SQL, which needs Active Directory services for access to the data.

Within 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then performed setup and storage recovery of needed servers. All Microsoft Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Folder Files) on team PCs to recover mail messages. A not too old offline backup of the customerís financials/ERP systems made them able to return these required programs back on-line. Although a lot of work still had to be done to recover totally from the Ryuk attack, core systems were returned to operations rapidly:


"For the most part, the manufacturing operation never missed a beat and we made all customer shipments."

Over the next couple of weeks critical milestones in the recovery project were made through tight collaboration between Progent team members and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the user desktops and notebooks were fully operational.

"A huge amount of what went on during the initial response is mostly a blur for me, but our team will not forget the commitment each of you accomplished to help get our company back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This time was a stunning achievement."

Conclusion
A probable enterprise-killing disaster was dodged by top-tier professionals, a broad array of subject matter expertise, and close teamwork. Although in hindsight the crypto-ransomware incident detailed here would have been identified and disabled with advanced security technology and NIST Cybersecurity Framework best practices, team training, and well designed incident response procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), Iím grateful for letting me get some sleep after we made it through the initial fire. All of you did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Uniondale a range of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize modern AI technology to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-matching AV tools. ProSight ASM protects local and cloud resources and provides a single platform to automate the entire threat lifecycle including protection, identification, containment, remediation, and forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid recovery of vital files, apps and VMs that have become lost or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to provide centralized control and comprehensive protection for your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of analysis for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT personnel and your assigned Progent consultant so that any potential issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Uniondale 24/7/365 CryptoLocker Recovery Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.