Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that represents an extinction-level danger for organizations unprepared for an attack. Multiple generations of crypto-ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for years and still inflict havoc. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more as yet unnamed viruses, not only do encryption of online files but also infect many configured system protection. Data replicated to the cloud can also be rendered useless. In a poorly designed system, this can render any restoration hopeless and effectively knocks the datacenter back to square one.

Getting back online programs and information after a crypto-ransomware intrusion becomes a sprint against time as the targeted business tries its best to contain and eradicate the virus and to restore enterprise-critical operations. Due to the fact that ransomware takes time to spread, attacks are often sprung on weekends and holidays, when penetrations may take more time to uncover. This compounds the difficulty of rapidly mobilizing and organizing a knowledgeable mitigation team.

Progent provides a variety of help services for securing businesses from ransomware events. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with artificial intelligence capabilities to automatically detect and quarantine zero-day cyber threats. Progent also provides the assistance of experienced crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised network as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware attack, even paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decrypt all your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide range of skills, well-coordinated project management, and the ability to work non-stop until the job is completed.

For decades, Progent has offered certified expert Information Technology services for businesses in Addison and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience affords Progent the ability to knowledgably ascertain critical systems and consolidate the surviving components of your Information Technology environment following a ransomware penetration and assemble them into an operational network.

Progent's security team of experts utilizes powerful project management systems to orchestrate the complicated restoration process. Progent understands the urgency of working swiftly and together with a customerís management and IT staff to assign priority to tasks and to put the most important systems back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Incident Response
A business engaged Progent after their company was brought down by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored hackers, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little ability to sustain disruption and is one of the most lucrative versions of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has around 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (more than $200K) and hoping for good luck, but in the end called Progent.


"I cannot speak enough in regards to the expertise Progent provided us throughout the most fearful time of (our) businesses existence. We most likely would have paid the hackers behind this attack except for the confidence the Progent group gave us. The fact that you were able to get our messaging and production servers back online faster than seven days was amazing. Every single person I got help from or texted at Progent was amazingly focused on getting our system up and was working at all hours to bail us out."

Progent worked together with the customer to quickly identify and assign priority to the most important elements that had to be recovered in order to resume departmental functions:

  • Microsoft Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then initiated the task of restoring Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the businessesí financials and MRP software used Microsoft SQL Server, which depends on Windows AD for authentication to the information.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery of key applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Offline Folder Files) on various desktop computers to recover email data. A recent offline backup of the businesses manufacturing software made it possible to restore these essential services back available to users. Although significant work remained to recover totally from the Ryuk damage, essential systems were returned to operations quickly:


"For the most part, the manufacturing operation never missed a beat and we produced all customer sales."

During the next couple of weeks critical milestones in the recovery project were made through close collaboration between Progent team members and the customer:

  • In-house web applications were restored with no loss of information.
  • The MailStore Server with over 4 million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were fully operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • 90% of the user desktops and notebooks were being used by staff.

"A lot of what transpired in the initial days is nearly entirely a blur for me, but I will not soon forget the care all of the team accomplished to help get our business back. Iíve utilized Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A possible business catastrophe was avoided through the efforts of dedicated professionals, a broad array of knowledge, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident described here should have been stopped with modern cyber security technology and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out incident response procedures for information backup and proper patching controls, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get rested after we made it through the first week. Everyone did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Addison a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services include modern artificial intelligence technology to detect new strains of crypto-ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with government and industry data security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed service for secure backup/disaster recovery. For a fixed monthly price, ProSight DPS automates your backup processes and enables rapid recovery of vital data, applications and VMs that have become unavailable or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to provide centralized control and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that stays within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, track, optimize and debug their connectivity hardware such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that require important updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your network operating at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT management staff and your Progent consultant so any potential problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hardware solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Addison Crypto Repair Experts, call Progent at 800-993-9400 or go to Contact Progent.