Ransomware : Your Worst IT Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for organizations poorly prepared for an attack. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for years and continue to cause damage. Recent variants of ransomware like Ryuk and Hermes, along with more unnamed viruses, not only encrypt on-line data but also infect all available system protection mechanisms. Files replicated to cloud environments can also be encrypted. In a poorly architected environment, this can render automatic restore operations impossible and effectively knocks the datacenter back to zero.

Getting back on-line applications and data after a ransomware event becomes a race against the clock as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to restore enterprise-critical operations. Since crypto-ransomware requires time to spread, attacks are often sprung during weekends and nights, when successful penetrations tend to take more time to identify. This multiplies the difficulty of quickly assembling and organizing a qualified mitigation team.

Progent has a range of solutions for securing organizations from ransomware events. Among these are staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with AI capabilities to intelligently detect and suppress day-zero cyber threats. Progent in addition offers the services of experienced ransomware recovery professionals with the talent and perseverance to re-deploy a breached network as quickly as possible.

Progent's Ransomware Restoration Services
Soon after a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed codes to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the essential parts of your Information Technology environment. Without the availability of full data backups, this requires a wide complement of IT skills, top notch project management, and the capability to work continuously until the task is done.

For twenty years, Progent has offered professional Information Technology services for companies in Hartford and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience gives Progent the skills to knowledgably identify necessary systems and organize the surviving parts of your Information Technology environment following a ransomware penetration and configure them into an operational system.

Progent's security group utilizes best of breed project management tools to orchestrate the complex recovery process. Progent knows the urgency of acting quickly and in concert with a client's management and Information Technology resources to assign priority to tasks and to put essential applications back on-line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A small business contacted Progent after their company was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state hackers, suspected of using algorithms exposed from Americaís National Security Agency. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is among the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom (in excess of $200,000) and praying for the best, but ultimately reached out to Progent.


"I cannot tell you enough about the support Progent provided us during the most critical period of (our) companyís survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. That you were able to get our e-mail and essential servers back into operation quicker than seven days was incredible. Each consultant I interacted with or texted at Progent was hell bent on getting us operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to quickly determine and assign priority to the key areas that needed to be restored to make it possible to restart business functions:

  • Active Directory (AD)
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent followed ransomware incident mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the task of bringing back online Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without AD, and the client's MRP software used Microsoft SQL Server, which depends on Windows AD for authentication to the information.

Within two days, Progent was able to recover Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery on essential systems. All Microsoft Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Offline Data Files) on user workstations in order to recover mail messages. A recent off-line backup of the customerís manufacturing software made it possible to restore these essential services back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk virus, essential systems were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer sales."

Over the next month key milestones in the restoration process were accomplished in close cooperation between Progent consultants and the client:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Server containing more than 4 million archived messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control functions were 100% operational.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • 90% of the user workstations were back into operation.

"So much of what transpired during the initial response is mostly a fog for me, but my team will not forget the urgency each and every one of you put in to give us our business back. Iíve utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A potential business-ending catastrophe was evaded through the efforts of dedicated experts, a broad array of knowledge, and close collaboration. Although in hindsight the ransomware virus incident described here could have been identified and blocked with modern cyber security systems and best practices, staff education, and appropriate security procedures for information backup and proper patching controls, the fact remains that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for letting me get rested after we got past the most critical parts. All of you did an fabulous effort, and if any of your team is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Hartford a variety of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning capability to uncover new strains of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the complete threat progression including filtering, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also help you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of vital data, apps and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class support to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized management and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map out, track, enhance and debug their networking hardware like routers, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming network management processes, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that need critical updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network running efficiently by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT personnel and your Progent engineering consultant so that all potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can save up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
For Hartford 24/7 Crypto-Ransomware Removal Services, reach out to Progent at 800-993-9400 or go to Contact Progent.