Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level danger for businesses unprepared for an assault. Multiple generations of ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause destruction. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as frequent as yet unnamed viruses, not only encrypt on-line data files but also infect any available system backups. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can make any restoration useless and basically sets the datacenter back to zero.

Getting back applications and information following a ransomware intrusion becomes a sprint against time as the victim struggles to contain and clear the virus and to resume mission-critical operations. Since crypto-ransomware requires time to move laterally, penetrations are often launched at night, when successful penetrations may take longer to uncover. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable response team.

Progent has a variety of help services for protecting businesses from ransomware events. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security gateways with artificial intelligence technology to intelligently detect and suppress day-zero cyber threats. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the talent and perseverance to restore a breached system as soon as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the keys to unencrypt all your data. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the mission-critical parts of your Information Technology environment. Absent the availability of complete information backups, this calls for a broad range of IT skills, top notch team management, and the capability to work 24x7 until the recovery project is completed.

For twenty years, Progent has offered professional IT services for companies in Atlanta and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently ascertain necessary systems and integrate the remaining pieces of your Information Technology environment after a ransomware event and assemble them into an operational system.

Progent's ransomware team deploys powerful project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of working rapidly and in unison with a client's management and IT resources to assign priority to tasks and to put key applications back on-line as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Recovery
A business engaged Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored criminal gangs, possibly using approaches leaked from the United States National Security Agency. Ryuk attacks specific organizations with limited tolerance for disruption and is among the most profitable instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's backups had been online at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and praying for the best, but in the end called Progent.


"I canít thank you enough in regards to the support Progent gave us during the most stressful time of (our) companyís survival. We most likely would have paid the cybercriminals except for the confidence the Progent team gave us. That you were able to get our e-mail system and production applications back sooner than seven days was incredible. Each expert I spoke to or messaged at Progent was totally committed on getting us back online and was working breakneck pace to bail us out."

Progent worked hand in hand the client to rapidly determine and assign priority to the mission critical systems that needed to be addressed in order to continue departmental operations:

  • Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent adhered to ransomware event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then started the steps of bringing back online Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the client's MRP software leveraged Microsoft SQL, which depends on Windows AD for authentication to the information.

Within two days, Progent was able to recover Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery on key servers. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Offline Data Files) on various workstations and laptops to recover email data. A recent offline backup of the client's financials/MRP software made it possible to restore these essential services back available to users. Although a lot of work was left to recover completely from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the production manufacturing operation survived unscathed and we made all customer shipments."

Throughout the following few weeks important milestones in the restoration process were completed through tight cooperation between Progent team members and the client:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Server with over 4 million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the user desktops were functioning as before the incident.

"So much of what transpired in the early hours is nearly entirely a fog for me, but I will not forget the commitment each and every one of your team accomplished to give us our business back. I have utilized Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely business catastrophe was evaded with hard-working experts, a wide array of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack described here should have been shut down with current security solutions and recognized best practices, user and IT administrator training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus defense, removal, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for making it so I could get some sleep after we made it through the most critical parts. All of you did an amazing effort, and if any of your team is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Atlanta a range of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a unified control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates your backup activities and allows rapid recovery of vital data, applications and VMs that have become unavailable or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, when necessary, can assist you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security companies to deliver centralized management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device provides a further level of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, track, reconfigure and debug their networking appliances like routers, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that require critical software patches, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT staff and your Progent consultant so all looming problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSLs or domains. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.
For Atlanta 24x7 CryptoLocker Cleanup Consultants, contact Progent at 800-462-8800 or go to Contact Progent.