Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that poses an extinction-level threat for businesses of all sizes unprepared for an assault. Different versions of crypto-ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still cause havoc. More recent strains of crypto-ransomware like Ryuk and Hermes, plus additional as yet unnamed newcomers, not only do encryption of on-line critical data but also infiltrate most configured system backups. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make automated restore operations useless and basically sets the network back to square one.

Recovering programs and data after a ransomware event becomes a sprint against the clock as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to restore mission-critical activity. Because ransomware needs time to move laterally, assaults are often launched at night, when successful penetrations may take longer to discover. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable response team.

Progent provides a range of support services for securing enterprises from ransomware events. Among these are staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with artificial intelligence capabilities to automatically identify and suppress day-zero cyber attacks. Progent also offers the services of seasoned ransomware recovery consultants with the skills and commitment to rebuild a compromised environment as soon as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to unencrypt any of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the critical components of your IT environment. Absent the availability of complete system backups, this calls for a broad range of skills, professional project management, and the ability to work non-stop until the recovery project is finished.

For twenty years, Progent has provided expert Information Technology services for businesses in New Orleans and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained top certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the skills to efficiently identify critical systems and consolidate the remaining components of your IT system after a ransomware event and rebuild them into a functioning network.

Progent's security group has state-of-the-art project management applications to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to put critical services back on line as soon as possible.

Client Story: A Successful Crypto-Ransomware Virus Response
A client hired Progent after their company was attacked by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, possibly adopting technology leaked from the United States National Security Agency. Ryuk goes after specific businesses with little or no tolerance for operational disruption and is among the most profitable versions of ransomware malware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with around 500 employees. The Ryuk attack had disabled all business operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and hoping for good luck, but ultimately reached out to Progent.


"I cannot say enough in regards to the care Progent gave us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent group gave us. That you could get our e-mail and important applications back online quicker than seven days was incredible. Every single expert I talked with or messaged at Progent was urgently focused on getting us back online and was working non-stop to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and prioritize the most important services that needed to be restored in order to restart company operations:

  • Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent adhered to Anti-virus event mitigation best practices by isolating and performing virus removal steps. Progent then initiated the work of restoring Windows Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businessesí accounting and MRP system utilized SQL Server, which needs Windows AD for authentication to the database.

Within 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated setup and hard drive recovery of essential systems. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Data Files) on staff PCs and laptops in order to recover mail data. A not too old off-line backup of the customerís financials/ERP software made them able to restore these essential services back online for users. Although major work was left to recover totally from the Ryuk attack, core systems were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."

During the next couple of weeks important milestones in the restoration project were made through close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the user PCs were back into operation.

"A lot of what occurred in the early hours is mostly a haze for me, but our team will not forget the urgency each of your team accomplished to give us our company back. Iíve trusted Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential company-ending disaster was averted through the efforts of results-oriented experts, a broad spectrum of technical expertise, and close teamwork. Although in post mortem the ransomware attack described here could have been stopped with advanced cyber security systems and ISO/IEC 27001 best practices, staff training, and properly executed security procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), Iím grateful for letting me get rested after we got past the first week. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in New Orleans a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence technology to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily escape legacy signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to manage the complete threat lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your organization's specific needs and that allows you prove compliance with government and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery. For a low monthly rate, ProSight DPS automates and monitors your backup processes and enables rapid recovery of critical files, apps and virtual machines that have become lost or corrupted due to hardware failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can deliver world-class support to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security companies to deliver centralized management and comprehensive security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of analysis for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, optimize and troubleshoot their networking appliances like routers, firewalls, and access points as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when problems are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that need critical updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For New Orleans 24x7 Crypto-Ransomware Remediation Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.