Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that presents an extinction-level threat for businesses unprepared for an assault. Different versions of ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily unnamed malware, not only do encryption of online information but also infect many available system backup. Information replicated to cloud environments can also be ransomed. In a vulnerable environment, this can make automatic restore operations hopeless and basically knocks the entire system back to square one.

Recovering services and data after a ransomware attack becomes a sprint against the clock as the targeted organization struggles to contain the damage and cleanup the crypto-ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to replicate, assaults are frequently launched during nights and weekends, when successful penetrations may take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating a qualified response team.

Progent provides an assortment of services for securing organizations from ransomware attacks. Among these are team education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with machine learning capabilities to rapidly identify and extinguish zero-day threats. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the talent and perseverance to re-deploy a compromised environment as urgently as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the keys to decipher any or all of your files. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the essential components of your Information Technology environment. Without access to complete data backups, this calls for a broad complement of skill sets, professional team management, and the willingness to work 24x7 until the job is over.

For twenty years, Progent has provided expert Information Technology services for businesses in Adelaide and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience gives Progent the skills to quickly identify important systems and integrate the remaining parts of your IT system following a crypto-ransomware event and configure them into a functioning system.

Progent's recovery team uses powerful project management systems to coordinate the complex recovery process. Progent understands the urgency of acting swiftly and together with a customerís management and IT resources to prioritize tasks and to get the most important systems back online as fast as possible.

Business Case Study: A Successful Ransomware Intrusion Response
A customer sought out Progent after their network was penetrated by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state hackers, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most profitable incarnations of ransomware viruses. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200K) and hoping for good luck, but in the end called Progent.


"I canít thank you enough in regards to the care Progent provided us during the most stressful period of (our) companyís existence. We would have paid the criminal gangs if not for the confidence the Progent experts afforded us. That you could get our e-mail and important servers back into operation quicker than seven days was earth shattering. Each expert I interacted with or communicated with at Progent was laser focused on getting us back online and was working day and night on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the most important systems that needed to be addressed to make it possible to resume business operations:

  • Active Directory (AD)
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the task of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís accounting and MRP system leveraged Microsoft SQL, which depends on Windows AD for security authorization to the information.

In less than two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery on essential applications. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Off-Line Data Files) on user desktop computers to recover email messages. A recent off-line backup of the client's financials/MRP software made it possible to return these required applications back online. Although a lot of work needed to be completed to recover fully from the Ryuk virus, core systems were restored quickly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer sales."

During the following couple of weeks critical milestones in the recovery process were achieved in close cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory functions were fully restored.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"A lot of what transpired in the initial days is mostly a haze for me, but our team will not soon forget the urgency all of your team put in to help get our business back. Iíve utilized Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A potential business-ending disaster was dodged by results-oriented experts, a broad range of technical expertise, and close teamwork. Although in hindsight the crypto-ransomware penetration described here should have been blocked with up-to-date security solutions and security best practices, user education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get some sleep after we got through the initial push. All of you did an impressive effort, and if anyone is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Adelaide a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate modern AI capability to uncover zero-day strains of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily get by legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate action. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid restoration of critical files, applications and virtual machines that have become lost or corrupted as a result of component breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can provide advanced support to set up ProSight DPS to to comply with regulatory standards like HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to restore your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to deliver centralized control and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of analysis for incoming email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, track, optimize and debug their connectivity appliances such as routers and switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating devices that need critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management technology to help keep your network operating at peak levels by checking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT management staff and your assigned Progent consultant so that any potential problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Adelaide 24x7 Ransomware Cleanup Experts, contact Progent at 800-462-8800 or go to Contact Progent.