Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that poses an existential threat for organizations unprepared for an attack. Different versions of ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with frequent as yet unnamed viruses, not only do encryption of on-line critical data but also infect many configured system protection mechanisms. Data synched to cloud environments can also be ransomed. In a poorly designed system, it can make automated restoration useless and effectively knocks the network back to zero.

Getting back on-line services and data following a crypto-ransomware attack becomes a sprint against the clock as the victim struggles to contain the damage and cleanup the virus and to restore business-critical operations. Due to the fact that ransomware takes time to spread, attacks are often launched at night, when penetrations in many cases take longer to uncover. This compounds the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent offers an assortment of support services for protecting enterprises from crypto-ransomware attacks. These include user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security solutions with AI capabilities to quickly detect and extinguish day-zero threats. Progent in addition provides the services of seasoned crypto-ransomware recovery engineers with the track record and perseverance to re-deploy a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the keys to decrypt all your files. Kaspersky estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the mission-critical components of your IT environment. Without the availability of full information backups, this requires a broad complement of skill sets, top notch project management, and the willingness to work continuously until the task is finished.

For decades, Progent has offered expert IT services for businesses in Chattanooga and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience gives Progent the ability to quickly understand important systems and re-organize the remaining components of your Information Technology system following a ransomware penetration and configure them into an operational network.

Progent's ransomware team uses best of breed project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of working rapidly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get essential systems back on-line as soon as possible.

Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business escalated to Progent after their network was attacked by Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, suspected of adopting approaches leaked from the United States NSA organization. Ryuk targets specific businesses with little ability to sustain disruption and is one of the most lucrative examples of ransomware viruses. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the beginning of the attack and were damaged. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I canít say enough in regards to the support Progent provided us throughout the most stressful period of (our) businesses existence. We would have paid the cybercriminals except for the confidence the Progent team gave us. That you were able to get our e-mail and essential applications back into operation in less than 1 week was something I thought impossible. Each expert I interacted with or messaged at Progent was amazingly focused on getting us restored and was working at all hours on our behalf."

Progent worked together with the client to rapidly determine and prioritize the key systems that needed to be addressed to make it possible to resume business operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event mitigation industry best practices by halting the spread and clearing infected systems. Progent then started the process of recovering Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís financials and MRP applications utilized SQL Server, which needs Windows AD for access to the databases.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery of critical servers. All Exchange data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Folder Files) on user workstations and laptops in order to recover email messages. A not too old offline backup of the customerís accounting/ERP systems made them able to return these required applications back available to users. Although a lot of work remained to recover completely from the Ryuk attack, core services were restored rapidly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer orders."

Over the next couple of weeks important milestones in the restoration project were achieved through close cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"So much of what was accomplished that first week is nearly entirely a haze for me, but my team will not forget the urgency each and every one of you accomplished to give us our business back. I have entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was the most impressive ever."

Conclusion
A potential business-ending disaster was averted due to top-tier experts, a broad range of IT skills, and tight collaboration. Although in hindsight the ransomware virus penetration described here would have been prevented with advanced security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed security procedures for information backup and proper patching controls, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for making it so I could get some sleep after we got past the most critical parts. Everyone did an incredible effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Chattanooga a portfolio of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI technology to detect zero-day variants of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a unified platform to manage the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent can also assist your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of critical files, apps and virtual machines that have become lost or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to configure ProSight DPS to to comply with regulatory standards like HIPAA, FIRPA, and PCI and, when necessary, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver web-based control and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite gateway device adds a deeper level of analysis for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, track, enhance and debug their networking appliances like switches, firewalls, and load balancers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding appliances that require critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to keep your network operating at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that any potential issues can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Chattanooga CryptoLocker Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.