Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an extinction-level danger for organizations unprepared for an attack. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict harm. Recent strains of crypto-ransomware such as Ryuk and Hermes, along with frequent unnamed viruses, not only encrypt on-line critical data but also infect most available system backups. Files replicated to the cloud can also be rendered useless. In a poorly architected environment, this can make any recovery useless and basically knocks the datacenter back to square one.

Restoring applications and data following a crypto-ransomware intrusion becomes a sprint against time as the victim fights to stop lateral movement and cleanup the virus and to restore enterprise-critical activity. Because ransomware takes time to replicate, assaults are usually sprung on weekends and holidays, when penetrations in many cases take more time to recognize. This multiplies the difficulty of rapidly assembling and coordinating a knowledgeable response team.

Progent has a variety of help services for protecting businesses from ransomware events. These include team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with AI capabilities to quickly identify and suppress day-zero threats. Progent also can provide the services of expert ransomware recovery engineers with the talent and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the keys to decipher any of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Without the availability of full system backups, this requires a wide complement of IT skills, well-coordinated project management, and the willingness to work non-stop until the recovery project is completed.

For twenty years, Progent has offered certified expert IT services for companies in Waltham and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience gives Progent the ability to knowledgably ascertain critical systems and organize the remaining parts of your Information Technology system following a ransomware attack and rebuild them into a functioning system.

Progent's security team of experts has top notch project management tools to coordinate the complicated recovery process. Progent knows the urgency of acting swiftly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get the most important services back on line as fast as possible.

Client Story: A Successful Ransomware Incident Recovery
A customer engaged Progent after their company was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, possibly using techniques exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little or no tolerance for disruption and is one of the most lucrative iterations of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately called Progent.


"I cannot speak enough about the expertise Progent gave us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our messaging and essential applications back into operation in less than five days was something I thought impossible. Each staff member I got help from or e-mailed at Progent was absolutely committed on getting us restored and was working non-stop on our behalf."

Progent worked hand in hand the customer to rapidly identify and prioritize the critical systems that had to be addressed in order to resume business operations:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent followed Anti-virus penetration mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the steps of recovering Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Exchange email will not function without Active Directory, and the client's MRP software leveraged SQL Server, which requires Active Directory services for access to the databases.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery of mission critical servers. All Exchange schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Folder Files) on user PCs in order to recover email data. A recent offline backup of the client's manufacturing systems made them able to return these essential applications back servicing users. Although significant work remained to recover completely from the Ryuk virus, critical services were restored quickly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer sales."

Over the next couple of weeks important milestones in the restoration process were completed in tight cooperation between Progent engineers and the customer:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
  • A new Palo Alto 850 security appliance was deployed.
  • Nearly all of the user workstations were being used by staff.

"A lot of what was accomplished in the initial days is mostly a fog for me, but my management will not forget the urgency all of the team put in to help get our company back. Iíve been working with Progent for the past 10 years, maybe more, and every time Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A probable enterprise-killing catastrophe was dodged through the efforts of hard-working professionals, a wide spectrum of technical expertise, and tight teamwork. Although in retrospect the ransomware virus attack described here should have been disabled with current cyber security solutions and security best practices, team training, and well designed security procedures for backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get some sleep after we got through the initial fire. All of you did an incredible effort, and if any of your guys is around the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Waltham a range of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a single platform to manage the complete malware attack progression including protection, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also assist your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates your backup activities and enables fast recovery of vital data, apps and virtual machines that have become lost or damaged as a result of hardware failures, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide centralized management and comprehensive security for your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of inspection for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration of almost all devices on your network, monitors performance, and sends notices when issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding devices that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management personnel and your Progent consultant so all potential problems can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7 Waltham Crypto-Ransomware Remediation Services, reach out to Progent at 800-993-9400 or go to Contact Progent.