Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses poorly prepared for an assault. Versions of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Newer versions of crypto-ransomware like Ryuk and Hermes, along with frequent as yet unnamed viruses, not only do encryption of online information but also infect any configured system backups. Data synched to the cloud can also be rendered useless. In a poorly architected data protection solution, this can render automatic recovery useless and effectively sets the entire system back to zero.

Recovering services and information following a ransomware outage becomes a race against time as the victim fights to stop the spread and remove the virus and to restore business-critical operations. Since ransomware requires time to spread, penetrations are usually launched during nights and weekends, when successful penetrations are likely to take longer to detect. This compounds the difficulty of rapidly assembling and coordinating a knowledgeable mitigation team.

Progent makes available a variety of help services for securing businesses from crypto-ransomware attacks. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with machine learning capabilities to intelligently detect and quarantine zero-day cyber attacks. Progent also can provide the assistance of experienced ransomware recovery professionals with the skills and perseverance to re-deploy a compromised system as quickly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the codes to decipher all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the essential elements of your Information Technology environment. Without access to full information backups, this requires a wide complement of skill sets, top notch team management, and the ability to work 24x7 until the recovery project is done.

For twenty years, Progent has made available professional Information Technology services for companies in Jacksonville and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience provides Progent the skills to rapidly identify critical systems and consolidate the surviving pieces of your IT environment following a ransomware event and assemble them into a functioning system.

Progent's ransomware team utilizes best of breed project management applications to coordinate the complex recovery process. Progent understands the importance of working quickly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put key systems back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A business sought out Progent after their network system was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state hackers, suspected of using strategies leaked from Americaís NSA organization. Ryuk goes after specific businesses with little tolerance for disruption and is one of the most lucrative iterations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago with about 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately brought in Progent.


"I canít tell you enough in regards to the support Progent provided us during the most stressful time of (our) companyís life. We would have paid the criminal gangs if not for the confidence the Progent group gave us. The fact that you could get our e-mail and important applications back into operation sooner than one week was beyond my wildest dreams. Each expert I interacted with or messaged at Progent was absolutely committed on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked with the client to quickly determine and assign priority to the most important applications that had to be recovered in order to continue departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes event mitigation best practices by halting the spread and cleaning systems of viruses. Progent then began the process of rebuilding Windows Active Directory, the core of enterprise networks built on Microsoft technology. Exchange email will not operate without AD, and the customerís financials and MRP system leveraged Microsoft SQL, which requires Active Directory for authentication to the data.

Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery on critical systems. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Data Files) on various desktop computers to recover mail messages. A recent off-line backup of the businesses accounting/MRP software made them able to return these required applications back available to users. Although a lot of work was left to recover fully from the Ryuk event, the most important systems were restored quickly:


"For the most part, the assembly line operation showed little impact and we delivered all customer sales."

During the following couple of weeks important milestones in the restoration project were achieved in close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control modules were 100% operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the user workstations were functioning as before the incident.

"A huge amount of what went on that first week is nearly entirely a blur for me, but my team will not soon forget the care all of your team accomplished to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A potential business extinction disaster was evaded by dedicated professionals, a broad range of subject matter expertise, and tight collaboration. Although in retrospect the crypto-ransomware penetration described here could have been shut down with current security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it through the first week. All of you did an amazing job, and if anyone is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Jacksonville a range of online monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate modern artificial intelligence capability to detect zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to automate the entire threat lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical data, apps and VMs that have become unavailable or corrupted as a result of component failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to deliver centralized control and comprehensive protection for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further level of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their networking appliances like routers, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that require important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT personnel and your Progent consultant so that all looming issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can eliminate up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Jacksonville 24/7/365 CryptoLocker Repair Services, contact Progent at 800-993-9400 or go to Contact Progent.