Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for organizations unprepared for an attack. Versions of ransomware like the CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict harm. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as frequent unnamed malware, not only do encryption of online information but also infect all available system protection. Information synched to cloud environments can also be encrypted. In a poorly designed data protection solution, it can make automatic restore operations useless and basically sets the network back to zero.

Getting back services and data after a crypto-ransomware attack becomes a race against time as the targeted business struggles to contain and remove the ransomware and to resume enterprise-critical operations. Because ransomware takes time to spread, penetrations are usually launched on weekends, when penetrations typically take longer to recognize. This compounds the difficulty of promptly marshalling and organizing an experienced response team.

Progent offers an assortment of services for protecting organizations from ransomware attacks. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with machine learning capabilities to quickly discover and suppress zero-day cyber attacks. Progent also offers the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to re-deploy a breached system as quickly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, paying the ransom in cryptocurrency does not ensure that criminal gangs will respond with the keys to unencrypt all your files. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the critical elements of your IT environment. Absent access to essential data backups, this requires a wide complement of skill sets, professional project management, and the capability to work continuously until the recovery project is complete.

For twenty years, Progent has made available certified expert Information Technology services for companies in Parsippany and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise provides Progent the skills to efficiently understand critical systems and organize the surviving pieces of your computer network environment after a ransomware attack and rebuild them into an operational system.

Progent's security team uses best of breed project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of working swiftly and in concert with a customerís management and Information Technology staff to prioritize tasks and to put essential systems back on line as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Incident Response
A business hired Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state hackers, possibly adopting approaches leaked from the United States NSA organization. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most lucrative versions of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing processes. Most of the client's system backups had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end made the decision to use Progent.


"I canít say enough in regards to the support Progent gave us during the most stressful period of (our) companyís life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and important servers back in less than a week was something I thought impossible. Every single staff member I spoke to or texted at Progent was urgently focused on getting us working again and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and assign priority to the key elements that had to be addressed to make it possible to continue business operations:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then began the process of rebuilding Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the customerís MRP software utilized Microsoft SQL, which depends on Active Directory services for access to the databases.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery of essential servers. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Offline Folder Files) on staff PCs in order to recover mail messages. A recent off-line backup of the client's manufacturing software made them able to return these essential programs back on-line. Although a lot of work was left to recover completely from the Ryuk event, essential systems were restored quickly:


"For the most part, the production line operation survived unscathed and we made all customer deliverables."

Over the next few weeks key milestones in the recovery project were achieved through tight collaboration between Progent team members and the customer:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server exceeding 4 million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100% recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • 90% of the user PCs were functioning as before the incident.

"So much of what was accomplished those first few days is nearly entirely a fog for me, but our team will not soon forget the commitment each and every one of you accomplished to give us our company back. Iíve utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was the most impressive ever."

Conclusion
A likely business-ending disaster was evaded due to dedicated experts, a broad spectrum of IT skills, and tight collaboration. Although in post mortem the ransomware attack described here would have been blocked with advanced security solutions and ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for information protection and proper patching controls, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get some sleep after we made it through the initial fire. All of you did an incredible effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Parsippany a range of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services utilize modern artificial intelligence technology to uncover new variants of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to automate the complete threat lifecycle including filtering, identification, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help your company to set up and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid recovery of critical files, applications and VMs that have become unavailable or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security companies to deliver centralized control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for inbound email. For outgoing email, the local gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to diagram, track, reconfigure and debug their connectivity hardware like routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, finding devices that require important updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network running efficiently by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so that all looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Parsippany Ransomware Repair Help, contact Progent at 800-993-9400 or go to Contact Progent.