Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that poses an extinction-level danger for businesses of all sizes unprepared for an assault. Different versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional as yet unnamed newcomers, not only do encryption of online data but also infiltrate any accessible system protection. Data replicated to the cloud can also be rendered useless. In a poorly designed system, this can make automatic restore operations useless and effectively sets the entire system back to zero.

Recovering applications and information after a crypto-ransomware outage becomes a race against time as the targeted business fights to contain the damage and eradicate the ransomware and to restore mission-critical operations. Since ransomware needs time to spread, penetrations are usually launched at night, when successful attacks typically take more time to detect. This multiplies the difficulty of promptly assembling and orchestrating a qualified response team.

Progent offers a variety of help services for protecting organizations from crypto-ransomware events. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security appliances with machine learning technology from SentinelOne to identify and quarantine day-zero cyber attacks automatically. Progent also provides the services of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a breached system as rapidly as possible.

Progent's Ransomware Recovery Services
After a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed keys to unencrypt any of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the mission-critical elements of your Information Technology environment. Absent access to essential data backups, this calls for a wide complement of skills, professional team management, and the ability to work 24x7 until the recovery project is done.

For twenty years, Progent has offered expert IT services for companies in Waltham and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly identify critical systems and consolidate the surviving pieces of your IT system following a ransomware penetration and rebuild them into an operational system.

Progent's security team uses state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent knows the urgency of acting rapidly and in concert with a customer�s management and Information Technology resources to prioritize tasks and to put essential applications back on line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Attack Response
A client escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting technology leaked from America�s National Security Agency. Ryuk goes after specific businesses with little or no ability to sustain operational disruption and is one of the most lucrative incarnations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area with about 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.


"I cannot speak enough about the help Progent provided us during the most fearful period of (our) company�s survival. We would have paid the cyber criminals behind the attack if not for the confidence the Progent experts afforded us. That you were able to get our messaging and essential servers back into operation in less than a week was incredible. Each consultant I spoke to or messaged at Progent was totally committed on getting us back online and was working 24 by 7 on our behalf."

Progent worked hand in hand the client to rapidly assess and assign priority to the most important elements that needed to be recovered to make it possible to continue business functions:

  • Windows Active Directory
  • Electronic Messaging
  • Financials/MRP
To get going, Progent followed AV/Malware Processes incident response best practices by stopping the spread and performing virus removal steps. Progent then initiated the task of rebuilding Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the client's MRP applications leveraged Microsoft SQL Server, which depends on Active Directory for access to the data.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of key applications. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Outlook Offline Data Files) on user PCs and laptops to recover email messages. A recent offline backup of the customer�s accounting/ERP systems made it possible to restore these required services back online. Although major work was left to recover fully from the Ryuk event, essential systems were returned to operations quickly:


"For the most part, the production operation was never shut down and we made all customer deliverables."

Throughout the following month critical milestones in the recovery process were made in tight cooperation between Progent consultants and the client:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Exchange Server containing more than four million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were 100% recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • Ninety percent of the desktop computers were functioning as before the incident.

"Much of what transpired in the early hours is mostly a fog for me, but my team will not soon forget the commitment each and every one of the team put in to help get our company back. I�ve been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A possible business catastrophe was evaded with dedicated professionals, a broad spectrum of IT skills, and tight teamwork. Although in post mortem the ransomware virus attack described here should have been identified and blocked with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and properly executed incident response procedures for information protection and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get some sleep after we made it over the initial fire. Everyone did an impressive effort, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Waltham a portfolio of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to detect new variants of crypto-ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to automate the complete malware attack progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you prove compliance with legal and industry data security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate action. Progent's consultants can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology providers to create ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services automate and track your data backup processes and allow transparent backup and rapid restoration of important files, apps, images, plus VMs. ProSight DPS helps you recover from data loss resulting from hardware failures, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight Data Protection Services product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to deliver web-based control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of inspection for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their networking appliances like routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are detected. By automating complex network management processes, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management staff and your Progent consultant so that any looming problems can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to a different hosting solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis tools to guard endpoints and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV tools. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to automate the entire threat progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Call Desk services enable your IT team to outsource Help Desk services to Progent or divide responsibilities for support services transparently between your internal support staff and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth extension of your in-house support organization. User access to the Help Desk, provision of support, problem escalation, trouble ticket generation and updates, efficiency metrics, and management of the support database are cohesive whether issues are resolved by your in-house IT support resources, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your dynamic IT system. In addition to maximizing the security and functionality of your IT network, Progent's patch management services permit your in-house IT team to focus on more strategic initiatives and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and give your password you are asked to confirm your identity via a device that only you possess and that uses a different ("out-of-band") network channel. A wide range of devices can be used as this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You can designate several validation devices. For more information about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services for access security.
For Waltham 24/7/365 CryptoLocker Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.