Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, plus frequent as yet unnamed newcomers, not only do encryption of on-line data files but also infiltrate all accessible system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, it can make any recovery impossible and effectively sets the network back to square one.

Recovering services and information following a crypto-ransomware intrusion becomes a sprint against the clock as the victim tries its best to stop the spread and eradicate the ransomware and to restore enterprise-critical operations. Due to the fact that ransomware takes time to spread, attacks are often sprung on weekends, when successful attacks are likely to take more time to recognize. This multiplies the difficulty of promptly assembling and coordinating a qualified response team.

Progent has an assortment of help services for protecting organizations from ransomware attacks. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with machine learning capabilities to quickly detect and extinguish new threats. Progent in addition can provide the services of veteran ransomware recovery consultants with the track record and perseverance to restore a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the vital components of your IT environment. Without the availability of complete system backups, this requires a broad range of skill sets, top notch project management, and the ability to work non-stop until the task is done.

For two decades, Progent has offered professional Information Technology services for businesses in Montreal and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience gives Progent the capability to quickly ascertain necessary systems and consolidate the surviving pieces of your computer network system after a crypto-ransomware event and assemble them into a functioning network.

Progent's recovery team of experts deploys state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent understands the importance of working quickly and in concert with a customerís management and IT resources to assign priority to tasks and to put the most important systems back on line as fast as possible.

Case Study: A Successful Ransomware Attack Recovery
A small business engaged Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, suspected of adopting algorithms exposed from Americaís NSA organization. Ryuk seeks specific businesses with little or no tolerance for operational disruption and is one of the most profitable versions of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's backups had been on-line at the start of the attack and were destroyed. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but in the end engaged Progent.


"I canít speak enough about the help Progent provided us during the most critical period of (our) businesses survival. We would have paid the criminal gangs except for the confidence the Progent team afforded us. The fact that you were able to get our messaging and production servers back online quicker than seven days was beyond my wildest dreams. Each expert I got help from or messaged at Progent was amazingly focused on getting us back online and was working 24 by 7 to bail us out."

Progent worked with the client to quickly understand and prioritize the critical areas that needed to be addressed in order to continue company functions:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed ransomware incident response best practices by stopping lateral movement and clearing infected systems. Progent then began the process of recovering Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Active Directory, and the customerís MRP applications used Microsoft SQL Server, which needs Windows AD for security authorization to the database.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and hard drive recovery on critical applications. All Exchange data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Offline Folder Files) on user workstations and laptops to recover email messages. A not too old offline backup of the client's accounting/MRP software made them able to restore these vital services back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk damage, essential services were restored quickly:


"For the most part, the manufacturing operation never missed a beat and we made all customer orders."

During the following couple of weeks critical milestones in the restoration project were made through tight cooperation between Progent team members and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server exceeding 4 million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • 90% of the desktops and laptops were functioning as before the incident.

"A huge amount of what went on in the initial days is nearly entirely a haze for me, but my management will not forget the urgency all of the team put in to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and every time Progent has come through and delivered as promised. This event was a life saver."

Conclusion
A probable business-ending catastrophe was dodged due to results-oriented professionals, a broad spectrum of IT skills, and tight collaboration. Although in post mortem the ransomware penetration described here should have been identified and prevented with up-to-date cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for data protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thanks very much for making it so I could get rested after we made it over the initial fire. All of you did an fabulous job, and if any of your guys is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Montreal a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning technology to uncover new variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to manage the entire malware attack lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate action. Progent can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed solution for secure backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates and monitors your backup activities and allows fast restoration of critical data, apps and virtual machines that have become unavailable or corrupted due to hardware failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can assist you to restore your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide centralized management and world-class protection for your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of inspection for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, monitor, reconfigure and troubleshoot their networking appliances such as routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating complex management activities, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that need important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management personnel and your Progent engineering consultant so all potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Montreal 24x7x365 Crypto Remediation Experts, contact Progent at 800-993-9400 or go to Contact Progent.