Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that poses an existential threat for organizations unprepared for an attack. Different versions of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause harm. The latest variants of crypto-ransomware like Ryuk and Hermes, as well as daily unnamed newcomers, not only encrypt online data but also infiltrate many available system protection. Information synched to cloud environments can also be encrypted. In a poorly architected environment, it can render automatic restoration useless and basically knocks the entire system back to square one.

Recovering programs and information following a ransomware event becomes a race against the clock as the victim fights to contain the damage and cleanup the ransomware and to restore mission-critical activity. Since ransomware takes time to replicate, attacks are frequently sprung on weekends, when penetrations may take more time to notice. This compounds the difficulty of promptly marshalling and organizing a qualified mitigation team.

Progent provides a variety of services for securing organizations from ransomware events. These include team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence technology to intelligently identify and quarantine zero-day cyber threats. Progent in addition provides the services of experienced ransomware recovery consultants with the skills and commitment to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the needed codes to decipher any or all of your files. Kaspersky estimated that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the critical parts of your IT environment. Absent the availability of essential system backups, this requires a wide complement of skills, top notch team management, and the capability to work continuously until the recovery project is over.

For decades, Progent has offered certified expert IT services for companies in Stamford and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience provides Progent the ability to efficiently identify critical systems and integrate the remaining components of your Information Technology environment after a ransomware attack and assemble them into an operational system.

Progent's security group has top notch project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and together with a customerís management and IT resources to assign priority to tasks and to get essential systems back on-line as fast as possible.

Client Story: A Successful Ransomware Penetration Restoration
A client hired Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state cybercriminals, possibly using technology exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little ability to sustain operational disruption and is one of the most lucrative instances of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and praying for good luck, but ultimately engaged Progent.


"I canít thank you enough in regards to the help Progent gave us throughout the most critical period of (our) businesses survival. We may have had to pay the cybercriminals if not for the confidence the Progent team gave us. That you could get our messaging and critical applications back into operation sooner than five days was beyond my wildest dreams. Each expert I worked with or messaged at Progent was urgently focused on getting my company operational and was working at all hours on our behalf."

Progent worked together with the client to quickly understand and prioritize the essential systems that needed to be recovered to make it possible to resume departmental operations:

  • Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by isolating and clearing infected systems. Progent then started the work of recovering Microsoft AD, the core of enterprise networks built on Microsoft technology. Exchange messaging will not work without Active Directory, and the customerís MRP software leveraged SQL Server, which requires Active Directory services for security authorization to the databases.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then charged ahead with rebuilding and storage recovery on essential servers. All Exchange schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on various PCs to recover email information. A not too old offline backup of the client's financials/ERP systems made them able to restore these vital programs back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, critical services were recovered rapidly:


"For the most part, the production line operation was never shut down and we produced all customer deliverables."

During the next couple of weeks important milestones in the restoration project were completed in tight cooperation between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory functions were 100 percent operational.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the desktop computers were being used by staff.

"A lot of what was accomplished that first week is nearly entirely a blur for me, but my management will not forget the dedication all of you put in to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered. This event was no exception but maybe more Herculean."

Conclusion
A potential business extinction disaster was evaded with hard-working professionals, a wide spectrum of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware incident described here could have been prevented with modern cyber security solutions and recognized best practices, user education, and properly executed incident response procedures for backup and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thanks very much for making it so I could get some sleep after we got through the initial push. Everyone did an impressive effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Stamford a range of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning capability to uncover zero-day variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to manage the entire threat lifecycle including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates your backup processes and allows fast restoration of critical files, applications and virtual machines that have become unavailable or damaged as a result of hardware failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight DPS to to comply with regulatory requirements such as HIPPA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized control and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, locating appliances that require critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT staff and your Progent engineering consultant so that any looming problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.
For Stamford 24/7/365 Crypto Recovery Services, call Progent at 800-993-9400 or go to Contact Progent.