Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an existential threat for organizations unprepared for an attack. Versions of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict damage. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with additional as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate many accessible system protection. Information replicated to cloud environments can also be corrupted. In a poorly designed environment, this can render any recovery hopeless and basically knocks the datacenter back to square one.

Getting back online services and data following a crypto-ransomware outage becomes a sprint against time as the targeted organization fights to stop the spread and remove the ransomware and to resume enterprise-critical operations. Since crypto-ransomware needs time to replicate, attacks are frequently launched at night, when attacks may take longer to discover. This compounds the difficulty of promptly assembling and orchestrating a qualified response team.

Progent offers an assortment of support services for protecting organizations from crypto-ransomware attacks. Among these are staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security appliances with machine learning technology to quickly discover and extinguish day-zero cyber attacks. Progent in addition provides the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised network as quickly as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, sending the ransom in cryptocurrency does not ensure that cyber criminals will return the keys to decipher any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the critical components of your Information Technology environment. Without access to full information backups, this requires a broad complement of skills, well-coordinated project management, and the ability to work continuously until the task is done.

For decades, Progent has offered professional Information Technology services for companies in Baltimore and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the ability to efficiently determine critical systems and organize the remaining parts of your computer network environment after a ransomware event and configure them into a functioning network.

Progent's ransomware team of experts deploys state-of-the-art project management systems to orchestrate the complex restoration process. Progent appreciates the importance of acting quickly and together with a customerís management and IT staff to prioritize tasks and to get essential services back on-line as fast as possible.

Business Case Study: A Successful Ransomware Incident Recovery
A small business hired Progent after their company was penetrated by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, suspected of using technology exposed from the United States National Security Agency. Ryuk targets specific businesses with little tolerance for disruption and is one of the most lucrative examples of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot say enough about the expertise Progent gave us during the most fearful period of (our) businesses life. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent group provided us. That you were able to get our e-mail and production applications back on-line in less than one week was earth shattering. Each consultant I talked with or e-mailed at Progent was laser focused on getting us restored and was working all day and night on our behalf."

Progent worked with the customer to quickly get our arms around and prioritize the mission critical elements that needed to be recovered in order to resume departmental functions:

  • Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed ransomware penetration response best practices by halting lateral movement and disinfecting systems. Progent then began the task of restoring Windows Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange messaging will not function without AD, and the customerís MRP system used SQL Server, which needs Active Directory for authentication to the data.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then accomplished rebuilding and hard drive recovery on mission critical systems. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Offline Data Files) on various PCs and laptops to recover email data. A not too old off-line backup of the customerís accounting software made it possible to restore these vital services back servicing users. Although significant work still had to be done to recover fully from the Ryuk attack, core services were recovered quickly:


"For the most part, the production line operation never missed a beat and we produced all customer sales."

Throughout the next month important milestones in the restoration project were made in tight cooperation between Progent engineers and the customer:

  • In-house web applications were brought back up with no loss of data.
  • The MailStore Server containing more than 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were completely recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the user PCs were operational.

"A huge amount of what was accomplished those first few days is mostly a blur for me, but our team will not soon forget the care each of the team put in to help get our company back. Iíve been working together with Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."

Conclusion
A potential business-ending catastrophe was dodged with top-tier professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware incident detailed here would have been identified and disabled with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, staff education, and well thought out security procedures for information backup and applying software patches, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for letting me get some sleep after we made it over the first week. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Baltimore a range of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching AV tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the entire malware attack lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates your backup activities and allows rapid recovery of vital data, applications and VMs that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class support to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to deliver web-based control and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of inspection for incoming email. For outbound email, the onsite gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management processes, WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding devices that require critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your IT system running efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT management personnel and your assigned Progent engineering consultant so any looming issues can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For Baltimore 24/7/365 Crypto-Ransomware Removal Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.