Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that poses an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus daily as yet unnamed viruses, not only do encryption of on-line files but also infiltrate all configured system protection. Information synched to cloud environments can also be corrupted. In a vulnerable environment, it can make any restore operations useless and effectively sets the network back to zero.

Getting back services and data following a ransomware event becomes a sprint against the clock as the victim tries its best to contain and cleanup the ransomware and to restore mission-critical operations. Since ransomware takes time to move laterally, assaults are usually sprung on weekends, when successful penetrations in many cases take longer to detect. This compounds the difficulty of rapidly assembling and orchestrating a capable mitigation team.

Progent offers a range of services for securing businesses from ransomware attacks. Among these are team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with artificial intelligence technology to quickly identify and suppress day-zero cyber attacks. Progent also provides the assistance of expert ransomware recovery engineers with the skills and perseverance to rebuild a breached system as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware event, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed keys to decipher any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the critical components of your IT environment. Without the availability of complete data backups, this calls for a broad complement of skill sets, professional project management, and the willingness to work non-stop until the task is completed.

For twenty years, Progent has offered expert IT services for businesses in Charleston and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience gives Progent the ability to quickly identify important systems and consolidate the surviving pieces of your Information Technology environment following a crypto-ransomware attack and rebuild them into an operational system.

Progent's security group uses powerful project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of acting swiftly and together with a client's management and IT team members to prioritize tasks and to put critical applications back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A small business engaged Progent after their company was taken over by Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly using technology exposed from the U.S. NSA organization. Ryuk targets specific companies with little room for disruption and is among the most profitable versions of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has about 500 workers. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200K) and praying for the best, but ultimately brought in Progent.


"I canít speak enough about the help Progent provided us throughout the most critical time of (our) businesses existence. We would have paid the Hackers if it wasnít for the confidence the Progent experts gave us. That you could get our messaging and production applications back online sooner than seven days was beyond my wildest dreams. Each person I worked with or messaged at Progent was laser focused on getting my company operational and was working at all hours to bail us out."

Progent worked with the client to rapidly understand and assign priority to the essential systems that had to be addressed in order to resume company functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting/MRP
To get going, Progent adhered to Anti-virus penetration response best practices by stopping the spread and cleaning up infected systems. Progent then began the task of rebuilding Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the customerís financials and MRP applications utilized SQL Server, which depends on Active Directory services for security authorization to the information.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then performed setup and storage recovery of mission critical applications. All Microsoft Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Offline Data Files) on team PCs in order to recover mail data. A recent offline backup of the client's accounting software made them able to return these vital applications back servicing users. Although a large amount of work was left to recover totally from the Ryuk damage, critical systems were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer deliverables."

Throughout the next month critical milestones in the restoration process were accomplished in tight cooperation between Progent engineers and the client:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were completely restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Ninety percent of the user PCs were back into operation.

"A lot of what occurred in the early hours is nearly entirely a blur for me, but I will not forget the dedication each of the team accomplished to give us our business back. Iíve utilized Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was a stunning achievement."

Conclusion
A potential enterprise-killing disaster was dodged by top-tier experts, a broad range of knowledge, and close collaboration. Although in hindsight the ransomware attack detailed here would have been prevented with up-to-date security technology solutions and recognized best practices, staff training, and well designed incident response procedures for data backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for allowing me to get some sleep after we got past the initial push. All of you did an fabulous job, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Charleston a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services incorporate modern machine learning technology to detect zero-day variants of ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to address the complete threat lifecycle including blocking, detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device management, and web filtering via leading-edge tools incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates your backup processes and enables fast recovery of critical data, apps and VMs that have become lost or damaged as a result of hardware breakdowns, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to provide web-based management and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, reconfigure and debug their connectivity hardware like switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that network maps are kept updated, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, locating appliances that require important updates, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT staff and your Progent engineering consultant so that any looming problems can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can save up to 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Charleston CryptoLocker Removal Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.