Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses poorly prepared for an attack. Different versions of ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause damage. Modern variants of ransomware such as Ryuk and Hermes, plus more as yet unnamed newcomers, not only encrypt online data files but also infect all available system backup. Data synched to off-site disaster recovery sites can also be encrypted. In a vulnerable system, it can make any recovery hopeless and basically knocks the datacenter back to zero.

Getting back on-line programs and data after a ransomware outage becomes a race against time as the targeted organization struggles to stop lateral movement and remove the crypto-ransomware and to resume mission-critical operations. Because crypto-ransomware takes time to replicate, attacks are frequently launched during nights and weekends, when attacks in many cases take more time to discover. This multiplies the difficulty of promptly assembling and organizing a capable response team.

Progent offers a range of services for protecting businesses from crypto-ransomware events. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with machine learning technology to intelligently identify and suppress day-zero cyber threats. Progent also provides the assistance of experienced ransomware recovery professionals with the skills and commitment to re-deploy a compromised environment as soon as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, sending the ransom in cryptocurrency does not guarantee that merciless criminals will return the codes to unencrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the mission-critical components of your IT environment. Absent the availability of full system backups, this calls for a broad range of skill sets, professional team management, and the willingness to work 24x7 until the recovery project is complete.

For decades, Progent has made available expert IT services for businesses in Stamford and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise gives Progent the skills to rapidly understand necessary systems and integrate the surviving parts of your Information Technology environment following a ransomware penetration and assemble them into a functioning system.

Progent's security group deploys powerful project management systems to coordinate the complicated recovery process. Progent appreciates the importance of acting rapidly and together with a client's management and IT staff to prioritize tasks and to put critical services back online as fast as humanly possible.

Client Story: A Successful Ransomware Incident Response
A business sought out Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean state sponsored criminal gangs, possibly using strategies leaked from the United States National Security Agency. Ryuk targets specific organizations with little ability to sustain operational disruption and is among the most lucrative examples of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago with about 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and hoping for good luck, but in the end brought in Progent.


"I cannot tell you enough about the help Progent gave us during the most fearful time of (our) businesses life. We would have paid the Hackers if it wasnít for the confidence the Progent team provided us. That you could get our e-mail and production applications back in less than one week was incredible. Each person I interacted with or e-mailed at Progent was urgently focused on getting us working again and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly understand and assign priority to the critical applications that needed to be recovered in order to resume departmental functions:

  • Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the process of restoring Microsoft AD, the heart of enterprise networks built on Microsoft technology. Exchange email will not function without Windows AD, and the businessesí MRP software leveraged Microsoft SQL Server, which depends on Windows AD for access to the database.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of the most important servers. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on staff workstations in order to recover email data. A not too old off-line backup of the businesses financials/ERP software made it possible to return these required services back available to users. Although a lot of work still had to be done to recover fully from the Ryuk event, critical systems were restored quickly:


"For the most part, the production operation survived unscathed and we delivered all customer deliverables."

Over the following few weeks important milestones in the restoration project were completed in tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Server containing more than 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100% recovered.
  • A new Palo Alto 850 firewall was installed.
  • Most of the user PCs were functioning as before the incident.

"Much of what occurred that first week is nearly entirely a fog for me, but my team will not forget the commitment each and every one of you accomplished to give us our company back. Iíve been working together with Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This time was a life saver."

Conclusion
A probable business-killing disaster was evaded by dedicated experts, a wide spectrum of technical expertise, and tight collaboration. Although in retrospect the ransomware virus attack described here should have been identified and stopped with modern security technology and best practices, user and IT administrator training, and properly executed security procedures for information backup and applying software patches, the fact remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get some sleep after we made it over the initial push. Everyone did an incredible effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Stamford a variety of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services incorporate next-generation machine learning technology to uncover zero-day variants of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to address the entire malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery. For a low monthly rate, ProSight DPS automates your backup activities and enables rapid recovery of vital files, applications and virtual machines that have become unavailable or corrupted as a result of component failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver world-class expertise to configure ProSight DPS to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to provide web-based control and world-class security for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further level of analysis for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, optimize and debug their networking appliances like routers, firewalls, and load balancers as well as servers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT personnel and your assigned Progent engineering consultant so all looming problems can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.
For Stamford 24x7 Crypto-Ransomware Repair Support Services, call Progent at 800-993-9400 or go to Contact Progent.