Ransomware : Your Feared IT Catastrophe
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses unprepared for an assault. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause havoc. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as daily as yet unnamed newcomers, not only do encryption of on-line data files but also infect any configured system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, it can render automated restore operations useless and effectively knocks the datacenter back to square one.

Getting back programs and data following a ransomware attack becomes a race against time as the targeted business tries its best to stop the spread and clear the virus and to resume business-critical activity. Because ransomware requires time to move laterally, penetrations are usually sprung on weekends and holidays, when successful attacks are likely to take longer to recognize. This multiplies the difficulty of quickly marshalling and organizing a capable mitigation team.

Progent has a range of services for securing enterprises from crypto-ransomware attacks. Among these are team member training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with AI capabilities to intelligently identify and extinguish new cyber threats. Progent in addition offers the services of seasoned crypto-ransomware recovery professionals with the skills and commitment to reconstruct a breached environment as urgently as possible.

Progent's Ransomware Recovery Services
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the keys to unencrypt any of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the vital elements of your Information Technology environment. Absent the availability of complete information backups, this calls for a wide complement of skill sets, well-coordinated team management, and the capability to work 24x7 until the recovery project is done.

For decades, Progent has made available certified expert IT services for companies in Waltham and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise gives Progent the ability to rapidly understand important systems and consolidate the surviving parts of your network environment after a ransomware attack and configure them into an operational network.

Progent's ransomware team deploys state-of-the-art project management tools to coordinate the complicated restoration process. Progent understands the urgency of working quickly and together with a customerís management and IT team members to assign priority to tasks and to put essential applications back on-line as soon as possible.

Case Study: A Successful Ransomware Attack Recovery
A client engaged Progent after their network was taken over by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored hackers, suspected of using algorithms leaked from the United States NSA organization. Ryuk targets specific organizations with little tolerance for disruption and is among the most profitable iterations of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I canít thank you enough in regards to the care Progent gave us throughout the most fearful time of (our) companyís life. We would have paid the Hackers except for the confidence the Progent group afforded us. The fact that you could get our e-mail system and key servers back sooner than seven days was beyond my wildest dreams. Each consultant I worked with or e-mailed at Progent was totally committed on getting us operational and was working day and night on our behalf."

Progent worked hand in hand the client to quickly get our arms around and assign priority to the most important services that had to be recovered in order to continue company operations:

  • Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent followed AV/Malware Processes event response best practices by halting lateral movement and performing virus removal steps. Progent then started the task of bringing back online Microsoft AD, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not operate without Active Directory, and the businessesí MRP software leveraged Microsoft SQL, which requires Active Directory services for security authorization to the database.

In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery on mission critical applications. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on various desktop computers in order to recover mail information. A recent offline backup of the client's accounting systems made them able to restore these vital services back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk event, core systems were restored rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer sales."

During the next couple of weeks key milestones in the recovery project were completed through close cooperation between Progent team members and the customer:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"So much of what transpired in the initial days is mostly a fog for me, but my management will not forget the care all of you put in to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A potential business-killing catastrophe was evaded with results-oriented professionals, a wide range of subject matter expertise, and close teamwork. Although in hindsight the crypto-ransomware virus penetration described here could have been identified and blocked with current security technology solutions and security best practices, staff training, and well designed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it through the initial fire. All of you did an fabulous job, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Waltham a range of remote monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence technology to uncover new variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also help you to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of critical files, apps and VMs that have become unavailable or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to provide centralized control and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, optimize and debug their networking hardware like switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, copies and displays the configuration information of almost all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating complex network management processes, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding devices that need important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your IT system operating efficiently by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so that any potential problems can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates or warranties. By updating and managing your network documentation, you can save up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7 Waltham Crypto-Ransomware Cleanup Support Services, call Progent at 800-993-9400 or go to Contact Progent.