Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that presents an enterprise-level danger for organizations unprepared for an attack. Different iterations of ransomware such as CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with frequent unnamed newcomers, not only do encryption of on-line information but also infiltrate all accessible system backup. Data synched to the cloud can also be ransomed. In a poorly architected data protection solution, it can render automated restore operations hopeless and effectively knocks the network back to square one.

Getting back on-line programs and information after a crypto-ransomware intrusion becomes a race against time as the targeted organization struggles to contain and clear the virus and to restore mission-critical activity. Because ransomware takes time to move laterally, attacks are frequently launched on weekends and holidays, when penetrations typically take longer to detect. This compounds the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.

Progent offers a variety of solutions for securing organizations from ransomware penetrations. Among these are team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with machine learning capabilities to rapidly identify and extinguish new threats. Progent also offers the assistance of expert ransomware recovery consultants with the talent and perseverance to rebuild a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the needed codes to unencrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the essential elements of your IT environment. Absent access to essential information backups, this calls for a broad complement of skill sets, well-coordinated project management, and the ability to work 24x7 until the recovery project is completed.

For twenty years, Progent has offered certified expert Information Technology services for companies in Manchester and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience affords Progent the ability to efficiently ascertain important systems and organize the surviving parts of your Information Technology environment following a crypto-ransomware attack and configure them into a functioning network.

Progent's security team utilizes top notch project management systems to coordinate the sophisticated recovery process. Progent knows the importance of acting swiftly and together with a client's management and Information Technology resources to prioritize tasks and to get the most important systems back online as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Recovery
A customer contacted Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state hackers, possibly using algorithms leaked from Americaís National Security Agency. Ryuk seeks specific companies with limited ability to sustain disruption and is among the most lucrative examples of ransomware malware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago and has around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.


"I canít speak enough about the expertise Progent gave us throughout the most stressful period of (our) companyís life. We may have had to pay the criminal gangs if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and important servers back on-line in less than a week was something I thought impossible. Each expert I interacted with or texted at Progent was absolutely committed on getting us restored and was working at all hours on our behalf."

Progent worked together with the client to quickly determine and prioritize the essential elements that had to be addressed to make it possible to restart business operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent followed Anti-virus incident response best practices by halting lateral movement and disinfecting systems. Progent then began the task of restoring Microsoft AD, the heart of enterprise environments built on Microsoft technology. Exchange messaging will not operate without Windows AD, and the customerís accounting and MRP software used Microsoft SQL Server, which needs Active Directory for access to the databases.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then assisted with setup and hard drive recovery of needed servers. All Exchange data and attributes were usable, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Offline Folder Files) on staff PCs in order to recover mail messages. A recent offline backup of the businesses accounting/ERP systems made it possible to return these required services back online. Although a lot of work was left to recover totally from the Ryuk damage, essential services were recovered quickly:


"For the most part, the production operation showed little impact and we delivered all customer orders."

Over the next couple of weeks key milestones in the restoration process were achieved through close cooperation between Progent consultants and the customer:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the user PCs were back into operation.

"A huge amount of what was accomplished in the initial days is mostly a blur for me, but our team will not forget the countless hours all of the team put in to help get our business back. I have trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A likely business disaster was avoided through the efforts of hard-working experts, a wide spectrum of IT skills, and close teamwork. Although in hindsight the ransomware attack detailed here would have been identified and blocked with current security technology solutions and security best practices, user education, and well thought out security procedures for data protection and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get rested after we got through the most critical parts. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Manchester a range of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services include modern machine learning capability to detect zero-day strains of crypto-ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including blocking, identification, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates your backup activities and allows rapid recovery of vital data, applications and virtual machines that have become lost or damaged as a result of hardware breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide advanced support to set up ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to provide web-based control and world-class protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding devices that require important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so all potential issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For Manchester 24x7 Ransomware Repair Consultants, contact Progent at 800-993-9400 or go to Contact Progent.