Ransomware : Your Worst IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for years and still inflict harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more as yet unnamed malware, not only do encryption of online files but also infiltrate many accessible system restores and backups. Data synchronized to the cloud can also be encrypted. In a vulnerable system, it can make automatic recovery useless and effectively sets the entire system back to zero.

Getting back on-line services and information after a ransomware attack becomes a race against time as the victim struggles to contain the damage and eradicate the ransomware and to resume business-critical activity. Because ransomware requires time to move laterally, attacks are often sprung on weekends and holidays, when successful attacks may take longer to discover. This compounds the difficulty of rapidly marshalling and organizing an experienced mitigation team.

Progent provides a range of support services for securing organizations from ransomware attacks. These include staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence capabilities to rapidly discover and disable zero-day cyber threats. Progent in addition provides the assistance of expert crypto-ransomware recovery consultants with the skills and perseverance to re-deploy a compromised system as urgently as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the mission-critical components of your Information Technology environment. Absent the availability of complete data backups, this requires a broad range of IT skills, top notch project management, and the capability to work continuously until the task is done.

For two decades, Progent has offered expert Information Technology services for businesses in Anaheim and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise affords Progent the skills to rapidly determine necessary systems and integrate the surviving parts of your IT system after a crypto-ransomware attack and assemble them into an operational network.

Progent's ransomware team of experts deploys state-of-the-art project management systems to orchestrate the complex restoration process. Progent knows the urgency of working quickly and in concert with a customerís management and Information Technology staff to prioritize tasks and to get essential applications back on line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A customer engaged Progent after their network was crashed by Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, suspected of adopting approaches exposed from the U.S. NSA organization. Ryuk attacks specific companies with little tolerance for disruption and is among the most profitable iterations of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 staff members. The Ryuk penetration had brought down all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the start of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but in the end called Progent.


"I canít tell you enough about the expertise Progent gave us throughout the most stressful time of (our) companyís existence. We may have had to pay the cyber criminals except for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and important applications back on-line in less than a week was earth shattering. Every single person I spoke to or texted at Progent was laser focused on getting us working again and was working 24 by 7 on our behalf."

Progent worked together with the customer to rapidly identify and prioritize the most important areas that had to be restored to make it possible to resume company operations:

  • Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to ransomware incident response industry best practices by halting lateral movement and removing active viruses. Progent then began the process of restoring Windows Active Directory, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the client's financials and MRP software leveraged SQL Server, which requires Windows AD for security authorization to the information.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery on essential applications. All Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate local OST files (Microsoft Outlook Offline Data Files) on user workstations to recover mail messages. A not too old offline backup of the businesses accounting/ERP systems made them able to recover these essential services back online. Although significant work needed to be completed to recover totally from the Ryuk attack, the most important systems were recovered rapidly:


"For the most part, the production operation did not miss a beat and we delivered all customer orders."

Over the following few weeks important milestones in the restoration project were accomplished through close cooperation between Progent consultants and the customer:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Server with over four million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were 100% operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • 90% of the desktops and laptops were fully operational.

"Much of what went on that first week is mostly a haze for me, but my management will not soon forget the urgency each of the team accomplished to give us our company back. I have been working with Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was a life saver."

Conclusion
A possible business catastrophe was evaded due to hard-working professionals, a broad spectrum of knowledge, and tight collaboration. Although in post mortem the ransomware attack detailed here would have been identified and prevented with current security systems and recognized best practices, user education, and well designed security procedures for data backup and keeping systems up to date with security patches, the fact is that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for making it so I could get some sleep after we got past the most critical parts. Everyone did an amazing effort, and if anyone is around the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Anaheim a portfolio of online monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services utilize next-generation machine learning technology to detect new strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a single platform to manage the complete malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools packaged within a single agent accessible from a single control. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your organization's unique needs and that helps you prove compliance with legal and industry data security standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also help your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. For a fixed monthly price, ProSight DPS automates your backup processes and enables rapid restoration of vital files, applications and virtual machines that have become lost or corrupted as a result of hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can provide advanced support to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to provide centralized control and comprehensive security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept current, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding devices that need critical software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT staff and your assigned Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 Anaheim Crypto-Ransomware Recovery Support Services, call Progent at 800-462-8800 or go to Contact Progent.