Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses unprepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus more unnamed newcomers, not only encrypt online data but also infiltrate many available system backup. Information synchronized to cloud environments can also be encrypted. In a vulnerable data protection solution, it can render any restore operations useless and effectively sets the entire system back to square one.

Getting back on-line services and information following a crypto-ransomware outage becomes a sprint against time as the victim fights to contain and eradicate the crypto-ransomware and to resume mission-critical activity. Since ransomware needs time to replicate, attacks are frequently sprung on weekends and holidays, when successful attacks in many cases take longer to discover. This compounds the difficulty of quickly marshalling and coordinating an experienced mitigation team.

Progent has a range of solutions for protecting enterprises from crypto-ransomware penetrations. Among these are team education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security gateways with artificial intelligence capabilities to rapidly discover and disable zero-day cyber threats. Progent in addition offers the assistance of veteran ransomware recovery engineers with the track record and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the needed codes to decrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to re-install the critical parts of your IT environment. Without the availability of complete data backups, this requires a wide complement of skills, well-coordinated team management, and the ability to work non-stop until the job is done.

For decades, Progent has offered professional Information Technology services for businesses in Arlington and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise provides Progent the ability to quickly understand important systems and organize the remaining components of your IT environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's security group utilizes powerful project management systems to orchestrate the complex recovery process. Progent knows the urgency of working swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get the most important services back on line as fast as possible.

Client Case Study: A Successful Ransomware Penetration Restoration
A small business sought out Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored hackers, suspected of adopting technology leaked from the U.S. NSA organization. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most profitable incarnations of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago with around 500 workers. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's data backups had been online at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately brought in Progent.


"I canít say enough in regards to the help Progent gave us during the most critical time of (our) companyís existence. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent group gave us. That you could get our messaging and important servers back in less than a week was beyond my wildest dreams. Every single staff member I talked with or e-mailed at Progent was urgently focused on getting us back on-line and was working all day and night on our behalf."

Progent worked together with the customer to rapidly get our arms around and assign priority to the most important areas that needed to be restored to make it possible to resume departmental functions:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the process of rebuilding Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without AD, and the businessesí financials and MRP system used SQL Server, which depends on Active Directory services for security authorization to the data.

In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then performed rebuilding and hard drive recovery on key servers. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to collect local OST data files (Outlook Off-Line Folder Files) on user workstations in order to recover email information. A recent off-line backup of the businesses manufacturing systems made them able to restore these essential programs back online for users. Although a lot of work remained to recover fully from the Ryuk attack, critical systems were restored quickly:


"For the most part, the production operation never missed a beat and we did not miss any customer deliverables."

Throughout the next few weeks key milestones in the recovery process were achieved in tight cooperation between Progent consultants and the customer:

  • Internal web applications were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Most of the user PCs were functioning as before the incident.

"A huge amount of what was accomplished in the initial days is mostly a blur for me, but we will not forget the commitment each of the team accomplished to help get our company back. I have been working together with Progent for the past ten years, possibly more, and every time Progent has shined and delivered as promised. This situation was a life saver."

Conclusion
A possible company-ending disaster was averted by hard-working experts, a broad array of technical expertise, and tight teamwork. Although in retrospect the ransomware penetration detailed here would have been identified and blocked with up-to-date security technology solutions and ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), Iím grateful for making it so I could get some sleep after we got through the initial fire. Everyone did an amazing job, and if any of your guys is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Arlington a variety of online monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services include next-generation AI technology to detect new variants of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. ProSight ASM protects local and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that helps you demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. For a low monthly price, ProSight DPS automates your backup processes and enables rapid recovery of vital data, applications and virtual machines that have become unavailable or damaged due to component failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to recover your critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver web-based control and world-class protection for your email traffic. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of analysis for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, reconfigure and debug their connectivity hardware like switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating complex management and troubleshooting activities, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating appliances that need important updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your network running efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so that any looming issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to a different hardware environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Arlington 24/7 Crypto Remediation Experts, call Progent at 800-993-9400 or go to Contact Progent.