Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that poses an extinction-level threat for businesses unprepared for an assault. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. Recent versions of ransomware such as Ryuk and Hermes, as well as daily as yet unnamed newcomers, not only encrypt online information but also infect many available system restores and backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable system, it can make any restoration useless and effectively sets the datacenter back to zero.

Getting back on-line services and information following a ransomware event becomes a sprint against time as the targeted organization struggles to stop lateral movement and clear the virus and to resume business-critical activity. Since ransomware needs time to move laterally, assaults are often sprung on weekends and holidays, when penetrations typically take more time to detect. This compounds the difficulty of quickly assembling and orchestrating a capable response team.

Progent makes available a variety of solutions for protecting enterprises from ransomware attacks. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with machine learning technology to intelligently detect and extinguish day-zero cyber threats. Progent in addition provides the assistance of veteran ransomware recovery engineers with the skills and commitment to reconstruct a breached environment as urgently as possible.

Progent's Ransomware Restoration Services
Following a ransomware penetration, paying the ransom in cryptocurrency does not guarantee that criminal gangs will return the needed codes to unencrypt any or all of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the essential parts of your Information Technology environment. Without the availability of full information backups, this requires a broad range of skill sets, well-coordinated team management, and the ability to work 24x7 until the recovery project is finished.

For decades, Progent has made available expert Information Technology services for businesses in Parsippany and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the ability to knowledgably understand important systems and consolidate the remaining pieces of your network environment after a ransomware attack and rebuild them into an operational system.

Progent's ransomware team has state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT team members to assign priority to tasks and to get the most important systems back online as soon as possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their organization was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, possibly adopting strategies exposed from Americaís National Security Agency. Ryuk seeks specific businesses with limited tolerance for operational disruption and is among the most profitable instances of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk event had shut down all business operations and manufacturing processes. Most of the client's system backups had been on-line at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end reached out to Progent.


"I cannot thank you enough about the support Progent provided us throughout the most fearful period of (our) companyís existence. We would have paid the cybercriminals if it wasnít for the confidence the Progent team gave us. That you were able to get our messaging and essential servers back sooner than five days was something I thought impossible. Every single expert I got help from or e-mailed at Progent was urgently focused on getting us working again and was working breakneck pace on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the essential services that needed to be addressed to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To begin, Progent adhered to ransomware penetration response industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the task of rebuilding Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not operate without Windows AD, and the customerís accounting and MRP system utilized SQL Server, which requires Windows AD for access to the databases.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then assisted with reinstallations and storage recovery on essential applications. All Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Data Files) on staff PCs to recover email messages. A not too old off-line backup of the customerís accounting/MRP software made it possible to restore these required services back available to users. Although significant work was left to recover fully from the Ryuk attack, essential systems were recovered rapidly:


"For the most part, the assembly line operation did not miss a beat and we did not miss any customer orders."

Over the following few weeks key milestones in the restoration project were accomplished in close collaboration between Progent consultants and the client:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Server with over four million historical emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100% functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user workstations were fully operational.

"Much of what happened in the early hours is mostly a haze for me, but our team will not soon forget the dedication each and every one of your team accomplished to give us our company back. Iíve been working with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A likely business-killing disaster was dodged with results-oriented experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in retrospect the crypto-ransomware incident described here could have been identified and blocked with up-to-date security systems and security best practices, team education, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for letting me get some sleep after we made it over the initial push. All of you did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Parsippany a variety of remote monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning technology to uncover new strains of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and provides a single platform to manage the entire threat progression including blocking, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that allows you prove compliance with legal and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also help your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows rapid recovery of vital data, applications and VMs that have become lost or damaged due to hardware breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class support to configure ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, when necessary, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to provide centralized control and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further layer of analysis for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, monitor, optimize and troubleshoot their networking appliances such as routers, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, finding devices that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by tracking the health of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management staff and your assigned Progent engineering consultant so all looming issues can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7x365 Parsippany Ransomware Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.