Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that represents an existential threat for businesses of all sizes vulnerable to an attack. Different iterations of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and continue to cause havoc. More recent strains of ransomware such as Ryuk and Hermes, plus daily as yet unnamed malware, not only encrypt on-line information but also infect any accessible system protection mechanisms. Information synched to the cloud can also be corrupted. In a poorly architected system, this can render any recovery impossible and basically sets the entire system back to square one.

Getting back programs and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted business fights to contain the damage and clear the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to spread, attacks are usually sprung during weekends and nights, when attacks may take longer to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a capable response team.

Progent makes available a range of services for protecting enterprises from ransomware events. Among these are user training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security appliances with artificial intelligence technology to intelligently identify and disable day-zero cyber attacks. Progent in addition can provide the services of experienced ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not guarantee that criminal gangs will respond with the codes to decrypt any of your files. Kaspersky determined that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the vital elements of your IT environment. Absent the availability of complete data backups, this requires a wide complement of IT skills, top notch project management, and the capability to work 24x7 until the job is complete.

For decades, Progent has offered professional Information Technology services for businesses in Saddle Brook and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently ascertain important systems and integrate the remaining parts of your IT environment after a crypto-ransomware event and rebuild them into a functioning system.

Progent's recovery team of experts has state-of-the-art project management tools to orchestrate the complex recovery process. Progent understands the importance of working quickly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put the most important services back on-line as fast as possible.

Business Case Study: A Successful Ransomware Incident Response
A business contacted Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of using approaches leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little ability to sustain disruption and is one of the most lucrative incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago and has around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the attack and were destroyed. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but ultimately reached out to Progent.


"I cannot speak enough about the care Progent provided us throughout the most stressful period of (our) companyís life. We may have had to pay the cyber criminals except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and key applications back sooner than seven days was incredible. Each expert I interacted with or e-mailed at Progent was hell bent on getting my company operational and was working all day and night to bail us out."

Progent worked hand in hand the client to quickly assess and assign priority to the essential systems that had to be recovered to make it possible to continue departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware event mitigation best practices by halting the spread and performing virus removal steps. Progent then started the steps of recovering Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the businessesí accounting and MRP system leveraged Microsoft SQL, which depends on Windows AD for security authorization to the databases.

Within two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then completed setup and storage recovery on key applications. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on team PCs and laptops to recover mail messages. A recent offline backup of the customerís accounting/MRP systems made them able to return these required applications back on-line. Although a lot of work remained to recover completely from the Ryuk damage, core services were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer shipments."

During the following month critical milestones in the restoration project were accomplished in close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% functional.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user PCs were back into operation.

"A lot of what went on those first few days is mostly a fog for me, but my management will not forget the dedication each and every one of your team accomplished to give us our company back. Iíve been working with Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered as promised. This event was a stunning achievement."

Conclusion
A potential business-killing disaster was avoided by results-oriented experts, a broad array of knowledge, and close teamwork. Although in post mortem the ransomware attack detailed here could have been stopped with advanced cyber security solutions and best practices, team education, and well designed security procedures for data backup and applying software patches, the fact is that government-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), Iím grateful for letting me get rested after we got past the most critical parts. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Saddle Brook a range of online monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services include next-generation AI capability to detect new strains of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a single platform to address the complete malware attack progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools packaged within one agent managed from a single control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you prove compliance with government and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates your backup activities and allows rapid recovery of vital data, apps and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to provide centralized control and world-class security for all your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The cloud filter serves as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further level of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating devices that need important software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT management personnel and your Progent engineering consultant so any looming problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can save as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7x365 Saddle Brook Ransomware Remediation Services, contact Progent at 800-993-9400 or go to Contact Progent.