Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that poses an existential danger for businesses poorly prepared for an assault. Different versions of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict destruction. More recent strains of ransomware like Ryuk and Hermes, as well as additional as yet unnamed malware, not only encrypt on-line information but also infect any available system backup. Files replicated to cloud environments can also be ransomed. In a poorly architected environment, it can render automatic restoration useless and effectively sets the datacenter back to square one.

Getting back on-line services and information after a crypto-ransomware outage becomes a sprint against time as the victim struggles to stop the spread and clear the virus and to restore business-critical activity. Since crypto-ransomware takes time to spread, penetrations are often sprung during nights and weekends, when attacks may take more time to uncover. This multiplies the difficulty of rapidly assembling and coordinating a knowledgeable response team.

Progent offers a range of services for securing organizations from ransomware penetrations. These include team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with artificial intelligence capabilities to quickly identify and extinguish zero-day threats. Progent in addition can provide the services of veteran ransomware recovery professionals with the track record and commitment to rebuild a breached system as quickly as possible.

Progent's Ransomware Recovery Services
Following a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the keys to decrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the key elements of your IT environment. Without the availability of complete system backups, this requires a wide range of IT skills, top notch project management, and the ability to work non-stop until the job is completed.

For decades, Progent has made available certified expert Information Technology services for businesses in Indianapolis and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the ability to rapidly ascertain critical systems and organize the remaining pieces of your Information Technology environment following a ransomware event and configure them into a functioning system.

Progent's security team of experts uses best of breed project management applications to coordinate the complex recovery process. Progent appreciates the urgency of working rapidly and in concert with a client's management and IT staff to assign priority to tasks and to get the most important services back on-line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A business contacted Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored cybercriminals, possibly adopting technology leaked from the United States National Security Agency. Ryuk goes after specific companies with limited tolerance for operational disruption and is one of the most profitable instances of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom (more than $200K) and hoping for good luck, but in the end reached out to Progent.


"I cannot say enough in regards to the expertise Progent provided us during the most fearful time of (our) businesses existence. We may have had to pay the hackers behind this attack except for the confidence the Progent team gave us. That you could get our e-mail system and important applications back online in less than five days was incredible. Every single staff member I worked with or e-mailed at Progent was amazingly focused on getting our system up and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to quickly determine and prioritize the mission critical services that needed to be addressed in order to restart company operations:

  • Active Directory
  • E-Mail
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the steps of recovering Windows Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the businessesí MRP applications utilized Microsoft SQL Server, which depends on Windows AD for security authorization to the databases.

In less than two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then helped perform rebuilding and storage recovery on essential applications. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Folder Files) on various workstations in order to recover mail messages. A not too old off-line backup of the businesses financials/MRP software made them able to recover these vital applications back online for users. Although significant work needed to be completed to recover fully from the Ryuk virus, essential services were restored rapidly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer sales."

Over the following month important milestones in the restoration project were completed in tight collaboration between Progent team members and the client:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Exchange Server with over four million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were 100% operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user desktops were being used by staff.

"Much of what went on during the initial response is nearly entirely a haze for me, but my management will not forget the countless hours each of you accomplished to give us our business back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered. This event was a testament to your capabilities."

Conclusion
A probable business-ending disaster was evaded with hard-working professionals, a wide spectrum of knowledge, and close collaboration. Although in hindsight the crypto-ransomware penetration detailed here could have been shut down with up-to-date cyber security systems and security best practices, user and IT administrator training, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for letting me get some sleep after we made it over the initial push. Everyone did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Indianapolis a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to detect new variants of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely escape traditional signature-based AV products. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to automate the entire malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also help your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end solution for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and allows fast restoration of critical data, apps and VMs that have become lost or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to provide web-based control and comprehensive protection for your email traffic. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This decreases your exposure to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of inspection for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, track, optimize and debug their networking appliances like switches, firewalls, and access points as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that require critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your network operating efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT personnel and your assigned Progent consultant so that any looming problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Indianapolis Crypto-Ransomware Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.