Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyberplague that represents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and continue to inflict havoc. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with more unnamed malware, not only encrypt on-line critical data but also infiltrate any accessible system protection mechanisms. Files synchronized to the cloud can also be corrupted. In a vulnerable environment, it can render any recovery hopeless and effectively knocks the datacenter back to zero.

Restoring programs and data after a crypto-ransomware intrusion becomes a race against time as the targeted organization fights to stop lateral movement and eradicate the crypto-ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to spread, assaults are frequently sprung on weekends, when successful attacks are likely to take longer to uncover. This multiplies the difficulty of quickly mobilizing and organizing an experienced response team.

Progent makes available a variety of support services for protecting enterprises from crypto-ransomware attacks. These include staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security appliances with machine learning technology to intelligently identify and quarantine new cyber threats. Progent also provides the assistance of seasoned crypto-ransomware recovery consultants with the skills and perseverance to rebuild a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Services
Following a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the needed keys to decipher any of your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to re-install the mission-critical elements of your IT environment. Without the availability of complete data backups, this calls for a wide complement of skill sets, professional project management, and the willingness to work non-stop until the task is complete.

For decades, Progent has provided certified expert IT services for businesses in Broomfield and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience gives Progent the ability to rapidly ascertain necessary systems and integrate the surviving components of your Information Technology environment following a ransomware penetration and configure them into an operational system.

Progent's ransomware team deploys top notch project management applications to orchestrate the complicated recovery process. Progent knows the urgency of working swiftly and together with a client's management and Information Technology resources to prioritize tasks and to put essential applications back on line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A small business contacted Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is among the most lucrative versions of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end engaged Progent.


"I canít say enough in regards to the help Progent gave us throughout the most stressful time of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent team provided us. The fact that you were able to get our messaging and important servers back in less than seven days was beyond my wildest dreams. Each expert I talked with or communicated with at Progent was laser focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked with the customer to rapidly understand and assign priority to the most important applications that needed to be addressed in order to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To get going, Progent followed Anti-virus incident response industry best practices by halting lateral movement and clearing up compromised systems. Progent then began the task of restoring Windows Active Directory, the key technology of enterprise environments built on Microsoft technology. Exchange messaging will not work without Windows AD, and the client's MRP system used Microsoft SQL Server, which depends on Windows AD for authentication to the data.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery of needed servers. All Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Offline Data Files) on team desktop computers in order to recover mail messages. A recent offline backup of the client's accounting software made it possible to return these essential applications back servicing users. Although a lot of work still had to be done to recover fully from the Ryuk attack, core services were restored rapidly:


"For the most part, the assembly line operation never missed a beat and we delivered all customer deliverables."

Throughout the following few weeks key milestones in the recovery process were accomplished in tight cooperation between Progent engineers and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Server exceeding four million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent functional.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the desktop computers were functioning as before the incident.

"A lot of what occurred that first week is mostly a fog for me, but our team will not soon forget the countless hours each of the team put in to give us our company back. I have trusted Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A potential business extinction catastrophe was dodged with top-tier professionals, a wide spectrum of knowledge, and close teamwork. Although in post mortem the crypto-ransomware penetration detailed here should have been identified and disabled with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and appropriate security procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), Iím grateful for letting me get rested after we made it past the initial push. All of you did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Broomfield a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of crypto-ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and provides a single platform to automate the complete malware attack lifecycle including protection, detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates your backup processes and allows rapid restoration of critical files, applications and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to provide web-based management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity hardware like routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices on your network, tracks performance, and generates notices when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating appliances that need important software patches, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the state of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent consultant so that all looming problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time wasted trying to find vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 Broomfield Crypto-Ransomware Repair Consultants, call Progent at 800-462-8800 or go to Contact Progent.