Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that represents an enterprise-level threat for businesses vulnerable to an attack. Versions of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and still cause damage. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with more unnamed newcomers, not only encrypt online data files but also infect any configured system protection mechanisms. Data replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can make automatic restoration useless and basically sets the datacenter back to zero.

Getting back programs and information following a crypto-ransomware outage becomes a race against time as the targeted business fights to contain the damage and clear the ransomware and to resume enterprise-critical operations. Because ransomware requires time to spread, penetrations are frequently launched on weekends, when penetrations are likely to take more time to discover. This compounds the difficulty of quickly mobilizing and organizing a capable response team.

Progent provides a range of support services for securing organizations from ransomware penetrations. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with machine learning capabilities to quickly detect and extinguish day-zero threats. Progent also offers the assistance of seasoned ransomware recovery engineers with the track record and commitment to rebuild a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the codes to decrypt any of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the key parts of your IT environment. Without access to full system backups, this calls for a wide complement of skills, professional project management, and the capability to work non-stop until the job is over.

For decades, Progent has provided professional IT services for companies in Anchorage and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly understand critical systems and re-organize the surviving pieces of your IT system following a ransomware event and assemble them into a functioning network.

Progent's security team of experts utilizes top notch project management tools to orchestrate the complex restoration process. Progent appreciates the importance of acting quickly and in concert with a customerís management and IT resources to assign priority to tasks and to put critical systems back on-line as soon as humanly possible.

Client Story: A Successful Ransomware Incident Restoration
A small business hired Progent after their network was attacked by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, possibly using techniques exposed from the U.S. National Security Agency. Ryuk targets specific businesses with little room for disruption and is among the most profitable examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago with about 500 workers. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.


"I canít say enough about the support Progent gave us during the most fearful period of (our) businesses survival. We would have paid the cybercriminals if it wasnít for the confidence the Progent team afforded us. That you could get our e-mail system and important applications back online faster than five days was something I thought impossible. Every single expert I spoke to or e-mailed at Progent was urgently focused on getting us working again and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly get our arms around and prioritize the most important applications that had to be restored in order to resume company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent adhered to Anti-virus event mitigation industry best practices by halting the spread and removing active viruses. Progent then initiated the task of bringing back online Microsoft AD, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the customerís financials and MRP software utilized SQL Server, which depends on Windows AD for authentication to the databases.

Within 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery of key systems. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to assemble intact OST files (Outlook Offline Data Files) on various desktop computers and laptops in order to recover mail messages. A recent off-line backup of the businesses manufacturing systems made them able to return these vital services back on-line. Although significant work was left to recover totally from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the assembly line operation was never shut down and we delivered all customer sales."

During the next few weeks key milestones in the restoration process were made in close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Exchange Server containing more than 4 million archived emails was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully functional.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the user PCs were functioning as before the incident.

"Much of what happened those first few days is nearly entirely a blur for me, but I will not soon forget the urgency each of the team accomplished to give us our company back. Iíve trusted Progent for at least 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was a life saver."

Conclusion
A possible enterprise-killing disaster was averted due to dedicated professionals, a broad spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware incident detailed here should have been identified and prevented with up-to-date cyber security technology solutions and best practices, user training, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has substantial experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get rested after we got through the first week. Everyone did an incredible effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Anchorage a range of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services include next-generation machine learning technology to uncover zero-day variants of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily escape traditional signature-based AV products. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also help you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with advanced backup software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products automate and track your backup processes and enable transparent backup and rapid recovery of critical files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user error, malicious insiders, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security vendors to deliver web-based management and world-class protection for all your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps most threats from making it to your network firewall. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating tedious management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that need important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management staff and your assigned Progent engineering consultant so all potential problems can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Anchorage 24/7 Crypto-Ransomware Cleanup Services, call Progent at 800-462-8800 or go to Contact Progent.