Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an existential threat for businesses unprepared for an assault. Different iterations of ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still cause destruction. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as daily unnamed newcomers, not only do encryption of online data but also infect any available system backup. Files replicated to cloud environments can also be rendered useless. In a vulnerable environment, it can make automatic restore operations hopeless and effectively knocks the datacenter back to square one.

Retrieving programs and information following a crypto-ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement and cleanup the virus and to restore business-critical operations. Due to the fact that ransomware requires time to move laterally, assaults are often sprung during weekends and nights, when penetrations in many cases take more time to identify. This compounds the difficulty of promptly assembling and organizing a capable response team.

Progent makes available a range of solutions for securing enterprises from ransomware penetrations. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with AI capabilities to quickly identify and suppress new threats. Progent in addition provides the services of seasoned crypto-ransomware recovery professionals with the skills and perseverance to restore a breached environment as urgently as possible.

Progent's Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that distant criminals will return the keys to decrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the vital parts of your Information Technology environment. Without access to full data backups, this requires a wide range of skills, professional team management, and the willingness to work 24x7 until the task is complete.

For decades, Progent has provided expert IT services for companies in Parsippany and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of expertise affords Progent the skills to efficiently ascertain important systems and consolidate the remaining parts of your Information Technology system after a ransomware attack and assemble them into an operational system.

Progent's recovery team deploys powerful project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of acting rapidly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get critical systems back online as soon as possible.

Client Story: A Successful Ransomware Virus Response
A customer escalated to Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored criminal gangs, suspected of using technology leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with limited ability to sustain operational disruption and is among the most profitable examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago with around 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. Most of the client's backups had been online at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately called Progent.


"I canít speak enough in regards to the help Progent gave us throughout the most stressful time of (our) companyís life. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our messaging and critical servers back quicker than seven days was earth shattering. Every single consultant I interacted with or texted at Progent was urgently focused on getting my company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly identify and assign priority to the most important elements that had to be restored to make it possible to continue company functions:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes event response best practices by stopping the spread and clearing infected systems. Progent then started the steps of bringing back online Windows Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the businessesí accounting and MRP software used Microsoft SQL, which depends on Active Directory for access to the database.

Within two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and hard drive recovery of needed systems. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on various workstations and laptops in order to recover mail data. A recent offline backup of the customerís accounting software made it possible to restore these essential programs back available to users. Although a lot of work still had to be done to recover totally from the Ryuk damage, core services were returned to operations quickly:


"For the most part, the assembly line operation survived unscathed and we produced all customer deliverables."

During the following month key milestones in the recovery process were accomplished through close collaboration between Progent team members and the customer:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were fully functional.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user PCs were functioning as before the incident.

"So much of what went on those first few days is mostly a blur for me, but our team will not soon forget the care each of the team put in to help get our business back. Iíve trusted Progent for the past ten years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This event was a stunning achievement."

Conclusion
A potential business-ending catastrophe was evaded with top-tier experts, a wide spectrum of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware attack detailed here should have been stopped with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and appropriate incident response procedures for information protection and applying software patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get rested after we got through the initial push. Everyone did an impressive job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Parsippany a variety of remote monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services incorporate modern artificial intelligence capability to detect new strains of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including filtering, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical in-depth security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent's consultants can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital data, applications and virtual machines that have become lost or damaged due to component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security companies to deliver centralized control and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their networking hardware like routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so any looming problems can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Learn more about ProSight IT Asset Management service.
For 24/7/365 Parsippany Crypto-Ransomware Remediation Experts, contact Progent at 800-993-9400 or go to Contact Progent.