Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that represents an extinction-level threat for organizations unprepared for an attack. Versions of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still cause harm. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with daily as yet unnamed newcomers, not only encrypt online critical data but also infiltrate any available system restores and backups. Information synchronized to the cloud can also be rendered useless. In a poorly designed data protection solution, it can make automated recovery impossible and effectively knocks the network back to zero.

Restoring applications and data following a ransomware event becomes a race against time as the targeted business tries its best to contain and cleanup the virus and to restore business-critical operations. Since ransomware requires time to replicate, assaults are often launched on weekends, when attacks may take more time to identify. This compounds the difficulty of quickly assembling and coordinating a qualified response team.

Progent has a range of services for protecting enterprises from ransomware attacks. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with AI capabilities to automatically discover and disable new threats. Progent also offers the services of expert crypto-ransomware recovery consultants with the talent and commitment to re-deploy a breached network as soon as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the keys to unencrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the mission-critical components of your Information Technology environment. Without access to full data backups, this calls for a broad complement of skills, well-coordinated project management, and the capability to work non-stop until the task is done.

For two decades, Progent has made available professional IT services for companies in Akron and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience gives Progent the capability to efficiently determine critical systems and consolidate the surviving pieces of your network environment following a crypto-ransomware penetration and rebuild them into an operational system.

Progent's security team utilizes state-of-the-art project management tools to orchestrate the complicated restoration process. Progent understands the importance of acting swiftly and in unison with a customerís management and IT team members to assign priority to tasks and to put critical services back online as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business escalated to Progent after their organization was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using algorithms leaked from the U.S. National Security Agency. Ryuk targets specific companies with limited ability to sustain disruption and is among the most profitable examples of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with about 500 employees. The Ryuk event had paralyzed all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end utilized Progent.


"I cannot say enough about the expertise Progent provided us throughout the most stressful period of (our) companyís existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. That you could get our messaging and important applications back in less than five days was incredible. Every single expert I talked with or messaged at Progent was totally committed on getting our company operational and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly identify and assign priority to the most important services that needed to be addressed in order to continue company operations:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed Anti-virus penetration response industry best practices by halting the spread and removing active viruses. Progent then started the task of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the customerís accounting and MRP system utilized Microsoft SQL, which needs Windows AD for access to the information.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery of essential systems. All Exchange schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs in order to recover mail messages. A recent off-line backup of the businesses accounting/MRP systems made it possible to return these required programs back online for users. Although significant work was left to recover completely from the Ryuk attack, the most important services were returned to operations quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer sales."

During the following month critical milestones in the recovery process were achieved through close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were 100% restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the user desktops were being used by staff.

"So much of what was accomplished those first few days is mostly a haze for me, but I will not soon forget the dedication each of you put in to help get our business back. I have been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A probable business disaster was avoided through the efforts of hard-working experts, a broad spectrum of technical expertise, and close teamwork. Although in hindsight the ransomware attack detailed here could have been prevented with current security technology and best practices, team education, and appropriate security procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), Iím grateful for allowing me to get rested after we made it through the initial push. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Akron a range of remote monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based AV tools. ProSight ASM protects local and cloud-based resources and provides a single platform to automate the complete threat lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via leading-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that meets your company's unique needs and that helps you prove compliance with legal and industry data protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also help your company to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows fast recovery of vital data, applications and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security vendors to deliver web-based control and world-class security for your email traffic. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a further level of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, optimize and debug their networking appliances such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding devices that need critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management personnel and your Progent consultant so that all potential issues can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Akron 24-7 Crypto-Ransomware Recovery Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.