Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Modern strains of ransomware like Ryuk and Hermes, as well as daily unnamed newcomers, not only encrypt online data but also infiltrate most available system protection. Files synchronized to cloud environments can also be encrypted. In a poorly designed environment, this can render automatic restoration impossible and basically knocks the entire system back to zero.

Recovering services and information after a ransomware event becomes a race against the clock as the victim fights to contain the damage and eradicate the ransomware and to resume mission-critical activity. Since ransomware needs time to move laterally, assaults are frequently launched on weekends, when successful attacks may take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating an experienced response team.

Progent provides a variety of support services for protecting enterprises from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with AI technology to automatically detect and quarantine new cyber threats. Progent also provides the services of experienced ransomware recovery professionals with the talent and commitment to rebuild a compromised system as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to decrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the essential components of your Information Technology environment. Without access to complete data backups, this calls for a broad range of skill sets, well-coordinated project management, and the ability to work non-stop until the task is over.

For twenty years, Progent has provided expert IT services for companies in Alexandria and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise affords Progent the capability to quickly understand necessary systems and re-organize the remaining components of your computer network environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's ransomware team utilizes best of breed project management applications to orchestrate the complicated restoration process. Progent appreciates the importance of acting quickly and together with a customerís management and IT resources to assign priority to tasks and to get key applications back on-line as fast as possible.

Business Case Study: A Successful Ransomware Incident Restoration
A client contacted Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting algorithms exposed from the United States NSA organization. Ryuk goes after specific companies with little or no tolerance for disruption and is among the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot thank you enough about the expertise Progent gave us during the most critical period of (our) companyís life. We most likely would have paid the Hackers if not for the confidence the Progent team gave us. That you could get our e-mail and important applications back on-line sooner than one week was earth shattering. Every single expert I talked with or e-mailed at Progent was totally committed on getting us working again and was working day and night to bail us out."

Progent worked with the client to rapidly get our arms around and assign priority to the most important areas that had to be restored in order to continue company functions:

  • Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then initiated the task of restoring Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the client's financials and MRP applications utilized Microsoft SQL Server, which depends on Active Directory for authentication to the data.

Within two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery on mission critical servers. All Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Off-Line Data Files) on team PCs to recover email information. A not too old offline backup of the client's manufacturing systems made it possible to recover these essential applications back on-line. Although major work still had to be done to recover totally from the Ryuk event, core services were restored rapidly:


"For the most part, the production operation never missed a beat and we did not miss any customer sales."

During the next month important milestones in the recovery project were accomplished through close collaboration between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Server exceeding 4 million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user desktops were being used by staff.

"Much of what occurred in the initial days is nearly entirely a fog for me, but our team will not forget the commitment all of you put in to give us our company back. Iíve been working with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This time was no exception but maybe more Herculean."

Conclusion
A potential business-killing disaster was avoided through the efforts of results-oriented professionals, a wide spectrum of IT skills, and close collaboration. Although in post mortem the ransomware virus penetration described here should have been identified and disabled with current cyber security systems and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we got over the first week. Everyone did an amazing effort, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Alexandria a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to uncover new variants of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the complete threat lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering through leading-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent's consultants can also assist your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and allows fast recovery of vital data, apps and virtual machines that have become lost or corrupted as a result of component failures, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery consultants can provide advanced support to set up ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your business-critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, monitor, optimize and troubleshoot their networking hardware such as routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating complex management processes, ProSight WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating appliances that require important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent consultant so all potential problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Alexandria 24-Hour Crypto Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.