Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations poorly prepared for an assault. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict damage. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily as yet unnamed viruses, not only encrypt on-line data but also infiltrate many available system restores and backups. Data replicated to cloud environments can also be rendered useless. In a vulnerable environment, it can make automatic restore operations hopeless and effectively sets the network back to zero.

Recovering applications and data after a crypto-ransomware event becomes a race against time as the targeted organization fights to contain the damage and eradicate the virus and to restore mission-critical operations. Since ransomware requires time to replicate, assaults are usually sprung during nights and weekends, when successful penetrations in many cases take longer to uncover. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified response team.

Progent provides a range of help services for protecting businesses from ransomware attacks. These include team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with AI capabilities to automatically discover and disable new cyber attacks. Progent also provides the services of veteran ransomware recovery consultants with the skills and commitment to restore a compromised environment as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will return the keys to decipher any of your files. Kaspersky determined that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the key parts of your Information Technology environment. Without access to essential data backups, this calls for a wide complement of skills, top notch project management, and the ability to work non-stop until the task is over.

For decades, Progent has offered certified expert IT services for businesses in Waltham and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience affords Progent the skills to quickly ascertain critical systems and integrate the remaining parts of your computer network system after a ransomware event and rebuild them into a functioning system.

Progent's recovery team has powerful project management tools to orchestrate the complex restoration process. Progent knows the importance of acting rapidly and in concert with a client's management and IT team members to prioritize tasks and to put key applications back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Penetration Recovery
A customer escalated to Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state hackers, suspected of adopting technology leaked from Americaís NSA organization. Ryuk targets specific businesses with little or no tolerance for operational disruption and is one of the most profitable versions of ransomware viruses. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has around 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but in the end utilized Progent.


"I canít say enough in regards to the help Progent gave us during the most critical time of (our) companyís survival. We may have had to pay the criminal gangs except for the confidence the Progent experts provided us. That you could get our messaging and key applications back on-line in less than one week was beyond my wildest dreams. Each consultant I got help from or communicated with at Progent was urgently focused on getting us operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the essential elements that needed to be restored in order to resume business operations:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then began the process of recovering Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí MRP system used SQL Server, which needs Active Directory for access to the databases.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then assisted with setup and hard drive recovery of key applications. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Offline Data Files) on team PCs to recover email data. A recent offline backup of the customerís manufacturing systems made them able to restore these required services back available to users. Although major work needed to be completed to recover fully from the Ryuk event, the most important services were recovered rapidly:


"For the most part, the production line operation did not miss a beat and we delivered all customer sales."

Throughout the next few weeks key milestones in the recovery project were achieved in tight cooperation between Progent consultants and the client:

  • In-house web applications were restored without losing any data.
  • The MailStore Server with over four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were fully operational.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user desktops and notebooks were fully operational.

"Much of what occurred in the early hours is nearly entirely a haze for me, but my management will not forget the commitment each and every one of you put in to help get our company back. Iíve trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This time was the most impressive ever."

Conclusion
A potential business disaster was evaded due to results-oriented experts, a wide range of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware attack described here would have been identified and stopped with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out security procedures for data protection and proper patching controls, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for letting me get some sleep after we made it through the initial push. Everyone did an impressive job, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Waltham a variety of online monitoring and security assessment services to help you to reduce the threat from ransomware. These services include modern AI capability to detect zero-day variants of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to address the entire threat lifecycle including blocking, detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you prove compliance with government and industry information security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup activities and enables fast recovery of vital files, apps and virtual machines that have become unavailable or damaged due to hardware breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can deliver advanced support to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, when needed, can help you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to provide centralized management and world-class protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a deeper level of inspection for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, enhance and debug their networking hardware like routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept updated, captures and manages the configuration of almost all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, locating appliances that require important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT management staff and your Progent consultant so that any looming issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save up to half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 Waltham Crypto-Ransomware Recovery Services, call Progent at 800-462-8800 or go to Contact Progent.