Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an extinction-level danger for organizations poorly prepared for an assault. Multiple generations of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause destruction. The latest variants of crypto-ransomware such as Ryuk and Hermes, along with frequent unnamed viruses, not only do encryption of online information but also infect any configured system protection mechanisms. Data synched to the cloud can also be corrupted. In a poorly architected environment, it can render any restore operations useless and effectively knocks the network back to zero.

Getting back online programs and data after a ransomware outage becomes a sprint against time as the targeted organization tries its best to contain and remove the ransomware and to resume business-critical operations. Since ransomware requires time to spread, assaults are frequently launched on weekends and holidays, when penetrations are likely to take longer to discover. This compounds the difficulty of rapidly assembling and organizing an experienced mitigation team.

Progent provides a variety of solutions for securing businesses from ransomware penetrations. Among these are user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with machine learning technology to quickly detect and suppress zero-day threats. Progent also provides the services of veteran crypto-ransomware recovery professionals with the track record and perseverance to rebuild a breached network as urgently as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware attack, sending the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to decipher all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the mission-critical parts of your Information Technology environment. Without access to complete information backups, this calls for a broad range of skill sets, top notch team management, and the willingness to work non-stop until the task is completed.

For two decades, Progent has offered certified expert IT services for businesses in New Haven and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the skills to knowledgably determine important systems and integrate the surviving pieces of your network system after a ransomware event and rebuild them into an operational system.

Progent's security team of experts uses state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT team members to prioritize tasks and to get key services back online as fast as possible.

Client Case Study: A Successful Ransomware Virus Restoration
A small business hired Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting strategies exposed from Americaís NSA organization. Ryuk targets specific organizations with limited tolerance for operational disruption and is among the most lucrative incarnations of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with about 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and praying for the best, but ultimately reached out to Progent.


"I cannot say enough in regards to the expertise Progent provided us throughout the most fearful time of (our) businesses survival. We would have paid the hackers behind this attack if not for the confidence the Progent experts provided us. That you could get our messaging and important applications back quicker than five days was something I thought impossible. Each expert I talked with or messaged at Progent was amazingly focused on getting us back on-line and was working 24/7 on our behalf."

Progent worked with the client to rapidly identify and assign priority to the most important elements that needed to be restored to make it possible to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To start, Progent followed Anti-virus penetration response best practices by stopping the spread and removing active viruses. Progent then began the steps of bringing back online Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without AD, and the customerís MRP software leveraged Microsoft SQL Server, which depends on Active Directory services for security authorization to the information.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of essential systems. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on various workstations in order to recover mail information. A not too old off-line backup of the businesses manufacturing systems made them able to restore these essential applications back servicing users. Although major work still had to be done to recover completely from the Ryuk virus, core systems were restored quickly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer shipments."

During the following few weeks critical milestones in the recovery project were achieved in tight cooperation between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server containing more than four million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were completely operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Most of the user desktops were functioning as before the incident.

"A lot of what transpired that first week is mostly a blur for me, but we will not soon forget the commitment each of your team put in to give us our company back. Iíve been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This time was a testament to your capabilities."

Conclusion
A possible business-killing catastrophe was evaded due to dedicated professionals, a wide spectrum of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus penetration detailed here would have been identified and prevented with advanced cyber security technology solutions and security best practices, team training, and well designed security procedures for information protection and proper patching controls, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we made it through the initial fire. Everyone did an amazing job, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in New Haven a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to manage the entire malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent can also assist your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates your backup processes and enables rapid recovery of critical files, applications and VMs that have become lost or corrupted due to hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security companies to deliver centralized management and world-class security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of inspection for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are kept current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common chores like making network diagrams, expanding your network, finding devices that require critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT staff and your assigned Progent consultant so that all looming problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For New Haven 24/7/365 Crypto-Ransomware Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.