Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that presents an existential danger for organizations poorly prepared for an assault. Different iterations of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, along with more unnamed malware, not only do encryption of on-line critical data but also infect all configured system backups. Data replicated to cloud environments can also be encrypted. In a poorly designed system, it can make any restore operations hopeless and effectively sets the network back to square one.

Getting back online programs and data following a crypto-ransomware outage becomes a race against time as the targeted business fights to contain the damage and clear the virus and to resume mission-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are usually sprung during nights and weekends, when penetrations tend to take more time to detect. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable mitigation team.

Progent offers a variety of support services for protecting enterprises from ransomware attacks. Among these are team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with AI technology to intelligently detect and extinguish zero-day threats. Progent in addition offers the services of veteran ransomware recovery professionals with the track record and perseverance to reconstruct a breached network as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the codes to unencrypt any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the vital elements of your Information Technology environment. Absent access to essential system backups, this requires a broad range of skill sets, professional team management, and the capability to work continuously until the task is completed.

For decades, Progent has made available professional IT services for companies in Baltimore and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience affords Progent the skills to knowledgably understand important systems and integrate the surviving pieces of your network system after a ransomware event and rebuild them into a functioning network.

Progent's ransomware group uses powerful project management systems to orchestrate the complex recovery process. Progent understands the urgency of working rapidly and in unison with a client's management and IT staff to prioritize tasks and to get critical systems back online as soon as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A customer engaged Progent after their network was crashed by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, suspected of using technology leaked from Americaís NSA organization. Ryuk goes after specific companies with limited ability to sustain disruption and is one of the most lucrative examples of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has about 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing processes. The majority of the client's backups had been online at the time of the intrusion and were damaged. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately brought in Progent.


"I cannot say enough about the care Progent provided us during the most critical time of (our) businesses survival. We most likely would have paid the criminal gangs if not for the confidence the Progent team provided us. The fact that you could get our e-mail and production servers back online quicker than 1 week was earth shattering. Every single expert I interacted with or communicated with at Progent was hell bent on getting us restored and was working day and night on our behalf."

Progent worked together with the customer to rapidly determine and prioritize the key services that had to be restored to make it possible to resume departmental operations:

  • Windows Active Directory
  • Email
  • Financials/MRP
To start, Progent adhered to ransomware penetration response industry best practices by halting lateral movement and disinfecting systems. Progent then started the process of bringing back online Microsoft AD, the heart of enterprise environments built on Microsoft technology. Exchange messaging will not operate without Active Directory, and the client's MRP applications utilized Microsoft SQL, which needs Active Directory services for security authorization to the information.

Within two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and hard drive recovery on needed applications. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Offline Data Files) on user desktop computers and laptops in order to recover email information. A not too old off-line backup of the customerís manufacturing systems made it possible to restore these required services back online for users. Although a large amount of work remained to recover completely from the Ryuk damage, core services were restored quickly:


"For the most part, the manufacturing operation was never shut down and we made all customer deliverables."

Throughout the following month critical milestones in the restoration project were achieved through close cooperation between Progent engineers and the client:

  • In-house web sites were restored with no loss of data.
  • The MailStore Exchange Server exceeding four million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto 850 security appliance was installed and configured.
  • 90% of the user PCs were operational.

"A lot of what was accomplished in the initial days is mostly a haze for me, but my team will not forget the urgency all of the team put in to give us our business back. Iíve utilized Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This time was a life saver."

Conclusion
A possible enterprise-killing disaster was averted by results-oriented experts, a broad array of IT skills, and tight teamwork. Although in retrospect the crypto-ransomware penetration described here would have been identified and blocked with current security technology solutions and best practices, team training, and properly executed security procedures for information backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thanks very much for letting me get rested after we made it through the initial push. All of you did an amazing job, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Baltimore a portfolio of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence technology to uncover new variants of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to address the complete threat lifecycle including filtering, identification, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you prove compliance with government and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also assist you to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates your backup activities and allows fast restoration of critical files, applications and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can deliver advanced expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your business-critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to provide centralized management and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of analysis for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are always current, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding devices that need critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by tracking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management personnel and your Progent consultant so all looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time spent looking for critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Baltimore 24x7x365 Crypto-Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.