Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that presents an enterprise-level danger for organizations unprepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with frequent unnamed malware, not only encrypt on-line files but also infiltrate many configured system restores and backups. Information replicated to the cloud can also be encrypted. In a poorly architected environment, this can render automatic recovery impossible and basically sets the entire system back to zero.

Getting back on-line programs and data following a ransomware outage becomes a sprint against time as the targeted organization fights to stop lateral movement and cleanup the ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware requires time to spread, penetrations are usually sprung at night, when penetrations typically take more time to uncover. This compounds the difficulty of promptly assembling and organizing a knowledgeable mitigation team.

Progent has a variety of services for securing enterprises from crypto-ransomware attacks. Among these are staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with AI technology to automatically identify and disable zero-day cyber attacks. Progent also can provide the services of veteran crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a breached environment as rapidly as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the codes to decrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the essential elements of your Information Technology environment. Absent the availability of complete data backups, this calls for a broad range of skill sets, top notch project management, and the ability to work non-stop until the task is done.

For two decades, Progent has offered certified expert Information Technology services for businesses in Chicago and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded top certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the capability to knowledgably ascertain necessary systems and consolidate the remaining pieces of your IT system following a ransomware attack and assemble them into an operational system.

Progent's security team of experts uses top notch project management systems to orchestrate the complex recovery process. Progent knows the urgency of acting swiftly and in concert with a customerís management and IT staff to prioritize tasks and to put essential systems back on line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Restoration
A client contacted Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored criminal gangs, possibly using technology leaked from the United States NSA organization. Ryuk goes after specific businesses with limited ability to sustain disruption and is among the most profitable examples of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago and has around 500 staff members. The Ryuk attack had shut down all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the time of the attack and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end reached out to Progent.


"I canít speak enough about the support Progent gave us during the most stressful period of (our) businesses life. We may have had to pay the cybercriminals if not for the confidence the Progent group afforded us. That you were able to get our e-mail and production servers back sooner than seven days was incredible. Every single consultant I talked with or e-mailed at Progent was hell bent on getting my company operational and was working at all hours to bail us out."

Progent worked together with the client to rapidly understand and prioritize the critical services that had to be recovered in order to continue departmental functions:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus penetration mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then began the work of restoring Microsoft AD, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the customerís financials and MRP system utilized SQL Server, which depends on Windows AD for authentication to the information.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery of needed servers. All Microsoft Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Off-Line Folder Files) on team workstations to recover mail information. A not too old offline backup of the customerís financials/MRP software made them able to restore these required services back online. Although significant work was left to recover completely from the Ryuk event, essential services were recovered rapidly:


"For the most part, the production operation was never shut down and we did not miss any customer shipments."

During the following few weeks key milestones in the restoration process were achieved through close collaboration between Progent consultants and the client:

  • Internal web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was spun up and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Ninety percent of the user PCs were functioning as before the incident.

"Much of what transpired during the initial response is mostly a blur for me, but my team will not soon forget the countless hours each and every one of your team accomplished to help get our company back. Iíve utilized Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A potential business extinction disaster was dodged by top-tier professionals, a broad array of knowledge, and close teamwork. Although upon completion of forensics the crypto-ransomware attack described here could have been disabled with up-to-date cyber security systems and best practices, team education, and properly executed incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thanks very much for allowing me to get some sleep after we made it past the initial fire. Everyone did an amazing job, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Chicago a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning capability to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the complete threat progression including blocking, detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables rapid restoration of critical files, applications and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can provide world-class expertise to set up ProSight DPS to to comply with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security companies to deliver centralized control and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further level of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map, monitor, reconfigure and debug their networking hardware such as switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, finding appliances that require important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating efficiently by checking the state of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT staff and your Progent engineering consultant so all looming problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For Chicago 24-7 CryptoLocker Repair Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.