Ransomware : Your Feared IT Disaster
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that poses an extinction-level threat for businesses unprepared for an attack. Different iterations of crypto-ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict damage. Newer strains of ransomware like Ryuk and Hermes, along with additional as yet unnamed newcomers, not only encrypt on-line information but also infect any configured system protection. Data synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can make automatic recovery useless and effectively knocks the network back to square one.

Getting back online services and information following a crypto-ransomware attack becomes a sprint against the clock as the targeted organization struggles to stop the spread and cleanup the virus and to restore business-critical activity. Because ransomware takes time to replicate, attacks are usually launched on weekends, when successful penetrations are likely to take longer to detect. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent has a variety of services for securing organizations from ransomware attacks. These include team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with AI capabilities to rapidly detect and extinguish day-zero threats. Progent in addition provides the assistance of expert ransomware recovery consultants with the talent and commitment to re-deploy a breached network as urgently as possible.

Progent's Ransomware Restoration Help
Following a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the codes to unencrypt any of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the critical components of your Information Technology environment. Without access to full information backups, this requires a broad range of skill sets, top notch project management, and the capability to work continuously until the task is completed.

For two decades, Progent has offered professional Information Technology services for businesses in Atlanta and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise affords Progent the skills to rapidly understand critical systems and integrate the surviving components of your IT system following a crypto-ransomware event and assemble them into an operational network.

Progent's recovery team of experts has top notch project management applications to coordinate the complex recovery process. Progent knows the urgency of working swiftly and in concert with a client's management and IT team members to assign priority to tasks and to put essential applications back on-line as fast as possible.

Client Case Study: A Successful Ransomware Incident Response
A business engaged Progent after their company was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean government sponsored cybercriminals, possibly adopting technology exposed from the United States NSA organization. Ryuk targets specific businesses with little tolerance for disruption and is one of the most lucrative examples of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk attack had disabled all company operations and manufacturing processes. The majority of the client's data backups had been online at the time of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end brought in Progent.


"I canít thank you enough in regards to the care Progent provided us throughout the most critical time of (our) businesses life. We had little choice but to pay the hackers behind this attack if it wasnít for the confidence the Progent team gave us. The fact that you could get our e-mail system and critical servers back online in less than a week was incredible. Every single expert I interacted with or communicated with at Progent was hell bent on getting us restored and was working day and night to bail us out."

Progent worked with the client to rapidly determine and assign priority to the critical applications that had to be addressed in order to resume company functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • MRP System
To start, Progent adhered to Anti-virus incident mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then began the process of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not function without Active Directory, and the businessesí accounting and MRP software used Microsoft SQL, which depends on Windows AD for access to the database.

Within 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery on mission critical applications. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Offline Folder Files) on staff PCs in order to recover mail information. A not too old off-line backup of the client's accounting systems made them able to recover these vital programs back available to users. Although significant work was left to recover totally from the Ryuk attack, the most important services were recovered rapidly:


"For the most part, the production manufacturing operation was never shut down and we did not miss any customer deliverables."

During the next month key milestones in the recovery process were completed through close cooperation between Progent engineers and the client:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were fully restored.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the desktop computers were back into operation.

"A huge amount of what transpired that first week is mostly a haze for me, but our team will not forget the countless hours all of the team put in to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was no exception but maybe more Herculean."

Conclusion
A potential enterprise-killing catastrophe was averted due to hard-working professionals, a wide spectrum of knowledge, and close collaboration. Although in retrospect the crypto-ransomware attack detailed here would have been prevented with current cyber security technology solutions and best practices, team education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for allowing me to get some sleep after we made it past the initial push. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Atlanta a variety of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services include modern machine learning capability to detect new variants of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to automate the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry information protection standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates your backup processes and allows fast restoration of vital files, applications and virtual machines that have become lost or corrupted as a result of component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can deliver advanced support to configure ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide centralized control and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of analysis for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, optimize and debug their connectivity hardware such as routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management activities, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating appliances that require important updates, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your network operating efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so any potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Atlanta 24/7/365 Ransomware Recovery Support Services, call Progent at 800-993-9400 or go to Contact Progent.