Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses unprepared for an attack. Versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still cause havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus frequent unnamed viruses, not only do encryption of on-line data files but also infect most accessible system backups. Data replicated to cloud environments can also be ransomed. In a poorly designed system, this can make automated restore operations impossible and basically sets the entire system back to zero.

Retrieving programs and data following a crypto-ransomware intrusion becomes a race against time as the victim tries its best to contain and remove the virus and to resume business-critical activity. Due to the fact that crypto-ransomware needs time to replicate, penetrations are frequently sprung on weekends and holidays, when penetrations are likely to take more time to recognize. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.

Progent provides a range of help services for protecting businesses from crypto-ransomware events. Among these are user education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning technology to automatically discover and disable day-zero threats. Progent also provides the assistance of seasoned ransomware recovery consultants with the talent and perseverance to rebuild a breached network as soon as possible.

Progent's Ransomware Restoration Services
Soon after a crypto-ransomware event, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will provide the needed keys to unencrypt any of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the mission-critical components of your Information Technology environment. Absent the availability of essential system backups, this requires a wide complement of skill sets, top notch team management, and the willingness to work 24x7 until the task is done.

For decades, Progent has made available professional IT services for businesses in Birmingham and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise affords Progent the capability to rapidly ascertain important systems and consolidate the remaining components of your computer network environment following a crypto-ransomware event and rebuild them into an operational network.

Progent's security group has state-of-the-art project management applications to coordinate the complex recovery process. Progent knows the importance of acting swiftly and in unison with a customerís management and IT resources to assign priority to tasks and to put the most important applications back on line as soon as humanly possible.

Client Story: A Successful Ransomware Virus Recovery
A small business hired Progent after their company was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, possibly adopting strategies leaked from Americaís NSA organization. Ryuk attacks specific organizations with little room for operational disruption and is among the most lucrative examples of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with around 500 employees. The Ryuk attack had shut down all company operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and hoping for the best, but in the end engaged Progent.


"I canít tell you enough about the help Progent provided us during the most critical period of (our) companyís survival. We would have paid the Hackers if it wasnít for the confidence the Progent group provided us. That you could get our messaging and critical servers back into operation faster than a week was incredible. Each staff member I interacted with or communicated with at Progent was laser focused on getting us back online and was working at all hours on our behalf."

Progent worked with the client to rapidly assess and prioritize the essential services that needed to be addressed to make it possible to continue business functions:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To begin, Progent followed Anti-virus penetration mitigation best practices by stopping lateral movement and disinfecting systems. Progent then began the task of restoring Microsoft AD, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the customerís MRP applications leveraged SQL Server, which requires Windows AD for access to the data.

In less than 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery on mission critical applications. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find local OST files (Outlook Off-Line Folder Files) on user PCs to recover mail information. A not too old off-line backup of the businesses manufacturing systems made it possible to restore these essential programs back on-line. Although a lot of work still had to be done to recover fully from the Ryuk virus, the most important systems were restored quickly:


"For the most part, the production line operation survived unscathed and we made all customer sales."

Throughout the next month key milestones in the restoration project were made in close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the desktops and laptops were functioning as before the incident.

"A lot of what occurred in the initial days is nearly entirely a fog for me, but my team will not soon forget the commitment each and every one of the team put in to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and every time Progent has shined and delivered. This situation was the most impressive ever."

Conclusion
A probable business-killing disaster was averted due to top-tier experts, a broad spectrum of subject matter expertise, and close collaboration. Although in hindsight the crypto-ransomware attack detailed here could have been stopped with current security solutions and ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for data protection and applying software patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get some sleep after we made it past the initial fire. All of you did an impressive effort, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Birmingham a portfolio of remote monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services utilize modern machine learning technology to detect zero-day strains of ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-matching AV tools. ProSight ASM safeguards local and cloud resources and offers a single platform to automate the complete malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge tools packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology providers to create ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and allow transparent backup and fast recovery of vital files/folders, applications, system images, and VMs. ProSight DPS helps your business recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to deliver centralized control and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further level of analysis for inbound email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map, monitor, optimize and troubleshoot their connectivity hardware like routers, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, locating appliances that require important software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so all looming problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save up to half of time thrown away looking for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre making improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Read more about ProSight IT Asset Management service.
For 24x7 Birmingham Crypto-Ransomware Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.