Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that poses an extinction-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with additional as yet unnamed newcomers, not only do encryption of online information but also infiltrate most available system backups. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, it can make automated recovery hopeless and effectively sets the network back to zero.

Getting back applications and information after a ransomware event becomes a race against time as the targeted organization fights to contain and remove the ransomware and to resume enterprise-critical operations. Because crypto-ransomware needs time to spread, attacks are frequently sprung on weekends and holidays, when attacks tend to take longer to identify. This compounds the difficulty of quickly assembling and coordinating a capable response team.

Progent offers a range of services for protecting businesses from crypto-ransomware events. Among these are team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with machine learning technology to automatically discover and disable new cyber attacks. Progent also can provide the assistance of seasoned ransomware recovery consultants with the skills and commitment to reconstruct a compromised network as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the vital elements of your Information Technology environment. Without access to complete information backups, this calls for a wide range of IT skills, well-coordinated project management, and the capability to work 24x7 until the recovery project is complete.

For two decades, Progent has offered professional Information Technology services for businesses in Albany and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience affords Progent the ability to rapidly determine critical systems and consolidate the remaining components of your Information Technology system after a ransomware penetration and rebuild them into an operational system.

Progent's security group deploys top notch project management systems to orchestrate the sophisticated recovery process. Progent understands the importance of acting rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to get critical services back on-line as soon as possible.

Customer Story: A Successful Ransomware Virus Recovery
A small business escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, suspected of adopting technology leaked from Americaís National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is among the most lucrative versions of ransomware viruses. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with about 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200,000) and praying for the best, but ultimately reached out to Progent.


"I cannot tell you enough in regards to the support Progent gave us during the most stressful time of (our) businesses life. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and production applications back on-line faster than one week was earth shattering. Every single staff member I worked with or texted at Progent was absolutely committed on getting my company operational and was working 24/7 to bail us out."

Progent worked hand in hand the client to rapidly determine and assign priority to the key applications that had to be recovered to make it possible to continue departmental operations:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by isolating and clearing infected systems. Progent then began the process of bringing back online Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí MRP software utilized SQL Server, which depends on Windows AD for authentication to the databases.

Within two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then completed rebuilding and storage recovery on essential systems. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Offline Data Files) on team workstations to recover mail messages. A recent offline backup of the client's manufacturing software made them able to return these vital applications back online for users. Although major work was left to recover completely from the Ryuk damage, critical services were returned to operations rapidly:


"For the most part, the assembly line operation survived unscathed and we made all customer deliverables."

During the following few weeks critical milestones in the recovery process were accomplished through close collaboration between Progent team members and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • 90% of the user desktops were functioning as before the incident.

"So much of what transpired in the initial days is nearly entirely a fog for me, but my team will not soon forget the care each and every one of the team put in to help get our company back. Iíve entrusted Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business-killing disaster was avoided through the efforts of hard-working professionals, a wide array of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware attack detailed here could have been identified and disabled with modern security technology and recognized best practices, user training, and well thought out incident response procedures for information protection and applying software patches, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for letting me get rested after we made it through the initial push. Everyone did an amazing effort, and if anyone is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Albany a variety of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services utilize modern AI technology to uncover new variants of ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a single platform to manage the entire threat lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within one agent managed from a single control. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid recovery of critical files, applications and virtual machines that have become unavailable or damaged due to component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can deliver advanced expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can assist you to recover your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to provide web-based management and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of inspection for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, track, reconfigure and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always current, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding devices that require critical software patches, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management staff and your Progent consultant so all looming problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7 Albany Crypto Cleanup Consulting, call Progent at 800-462-8800 or go to Contact Progent.