Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses poorly prepared for an attack. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict damage. More recent strains of ransomware like Ryuk and Hermes, plus additional unnamed viruses, not only do encryption of online critical data but also infect any accessible system backup. Information synched to the cloud can also be rendered useless. In a vulnerable data protection solution, this can render any recovery impossible and effectively knocks the datacenter back to square one.

Getting back on-line applications and information following a ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop the spread and eradicate the virus and to restore business-critical operations. Since crypto-ransomware takes time to replicate, penetrations are often launched at night, when successful attacks are likely to take longer to discover. This multiplies the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent has a range of support services for protecting businesses from ransomware penetrations. Among these are staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security gateways with machine learning technology to quickly discover and disable new cyber attacks. Progent in addition offers the assistance of veteran crypto-ransomware recovery consultants with the skills and commitment to restore a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the codes to decrypt all your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to setup from scratch the essential parts of your Information Technology environment. Absent the availability of full data backups, this calls for a wide complement of IT skills, top notch project management, and the capability to work continuously until the task is complete.

For two decades, Progent has provided professional IT services for businesses in Skokie and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience affords Progent the ability to rapidly identify necessary systems and re-organize the surviving parts of your network system after a ransomware attack and rebuild them into a functioning system.

Progent's recovery team uses state-of-the-art project management systems to coordinate the complicated recovery process. Progent understands the urgency of acting quickly and together with a client's management and IT team members to assign priority to tasks and to get the most important applications back on-line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer escalated to Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state hackers, possibly using techniques leaked from Americaís National Security Agency. Ryuk targets specific companies with little ability to sustain disruption and is among the most profitable examples of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's information backups had been online at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.


"I cannot say enough in regards to the help Progent provided us throughout the most critical time of (our) businesses existence. We most likely would have paid the hackers behind this attack if not for the confidence the Progent experts afforded us. The fact that you could get our messaging and production servers back into operation quicker than a week was incredible. Every single consultant I got help from or communicated with at Progent was amazingly focused on getting us restored and was working 24/7 on our behalf."

Progent worked together with the client to quickly identify and assign priority to the mission critical elements that had to be addressed to make it possible to restart departmental operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes penetration response industry best practices by halting lateral movement and performing virus removal steps. Progent then started the process of restoring Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the client's financials and MRP applications leveraged Microsoft SQL, which requires Active Directory services for security authorization to the information.

In less than 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of critical applications. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on staff workstations to recover mail messages. A not too old off-line backup of the client's accounting software made it possible to recover these required programs back online. Although major work needed to be completed to recover completely from the Ryuk virus, critical systems were recovered quickly:


"For the most part, the manufacturing operation never missed a beat and we made all customer sales."

During the next couple of weeks critical milestones in the recovery project were made through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were 100 percent recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the desktop computers were functioning as before the incident.

"A huge amount of what transpired those first few days is nearly entirely a blur for me, but we will not soon forget the commitment all of your team put in to give us our business back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered as promised. This event was a life saver."

Conclusion
A possible business-killing disaster was dodged by hard-working experts, a wide range of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here should have been stopped with advanced cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get some sleep after we made it over the initial fire. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Skokie a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include modern machine learning capability to uncover new variants of crypto-ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates your backup activities and enables fast restoration of vital data, apps and virtual machines that have become unavailable or damaged as a result of component breakdowns, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to set up ProSight DPS to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to deliver web-based control and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the local security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to track and protect internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, track, enhance and debug their networking appliances like switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious network management processes, ProSight WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT staff and your Progent consultant so that all looming issues can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted searching for vital information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Skokie Crypto-Ransomware Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.