Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an extinction-level danger for organizations poorly prepared for an assault. Versions of ransomware such as CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still inflict destruction. Modern strains of ransomware like Ryuk and Hermes, as well as daily unnamed malware, not only do encryption of online data but also infect most available system backup. Files synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can render any restoration useless and effectively knocks the datacenter back to square one.

Retrieving services and information following a ransomware intrusion becomes a race against time as the targeted business fights to contain and cleanup the virus and to restore business-critical operations. Because ransomware takes time to spread, penetrations are usually sprung at night, when successful attacks typically take more time to recognize. This compounds the difficulty of rapidly marshalling and organizing a capable response team.

Progent provides an assortment of solutions for protecting businesses from ransomware events. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with artificial intelligence technology to automatically detect and disable zero-day threats. Progent also offers the assistance of veteran ransomware recovery engineers with the track record and commitment to restore a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the keys to decipher any or all of your information. Kaspersky determined that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the vital components of your IT environment. Absent the availability of complete system backups, this calls for a wide complement of skill sets, top notch team management, and the capability to work continuously until the job is over.

For twenty years, Progent has offered expert Information Technology services for companies in Waltham and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience provides Progent the skills to efficiently identify necessary systems and consolidate the remaining components of your IT system after a crypto-ransomware penetration and assemble them into an operational system.

Progent's recovery team of experts deploys state-of-the-art project management applications to orchestrate the complicated restoration process. Progent understands the importance of acting swiftly and in unison with a client's management and IT team members to assign priority to tasks and to get essential applications back on line as soon as possible.

Case Study: A Successful Ransomware Penetration Restoration
A small business engaged Progent after their company was attacked by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored criminal gangs, possibly using techniques leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with limited room for operational disruption and is one of the most lucrative versions of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has around 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (in excess of $200K) and hoping for the best, but ultimately reached out to Progent.


"I canít speak enough in regards to the expertise Progent provided us during the most fearful period of (our) companyís survival. We may have had to pay the Hackers if not for the confidence the Progent experts gave us. The fact that you could get our e-mail system and essential applications back into operation in less than seven days was incredible. Each expert I talked with or messaged at Progent was hell bent on getting my company operational and was working 24 by 7 on our behalf."

Progent worked together with the client to quickly determine and assign priority to the key applications that needed to be addressed to make it possible to restart business functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes event mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the work of rebuilding Windows Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the client's MRP applications utilized Microsoft SQL Server, which requires Active Directory services for access to the data.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then completed setup and storage recovery of critical servers. All Microsoft Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover email data. A not too old offline backup of the businesses accounting/MRP software made it possible to recover these vital services back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk event, essential services were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer orders."

During the following few weeks important milestones in the restoration project were accomplished in tight cooperation between Progent consultants and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Exchange Server exceeding 4 million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely recovered.
  • A new Palo Alto 850 firewall was installed and configured.
  • Nearly all of the user PCs were fully operational.

"A huge amount of what went on that first week is nearly entirely a blur for me, but my team will not soon forget the dedication each of you accomplished to help get our company back. Iíve been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."

Conclusion
A possible business disaster was dodged with hard-working professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware attack described here could have been stopped with current security solutions and security best practices, staff education, and well thought out security procedures for data backup and proper patching controls, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get some sleep after we got over the initial fire. All of you did an incredible job, and if anyone that helped is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Waltham a variety of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services utilize modern machine learning capability to uncover new strains of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to automate the complete threat progression including blocking, identification, mitigation, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates your backup activities and enables rapid restoration of vital data, apps and VMs that have become lost or damaged as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can deliver world-class expertise to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized management and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, track, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating appliances that need critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent consultant so any looming issues can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted looking for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about ProSight IT Asset Management service.
For Waltham 24-Hour Ransomware Removal Experts, call Progent at 800-993-9400 or go to Contact Progent.