Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that presents an extinction-level danger for businesses unprepared for an attack. Different versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, plus daily unnamed viruses, not only encrypt on-line information but also infect any configured system protection. Files synchronized to cloud environments can also be corrupted. In a vulnerable system, it can render any recovery impossible and effectively knocks the datacenter back to square one.

Retrieving services and information after a ransomware attack becomes a race against time as the targeted organization tries its best to stop the spread and clear the virus and to restore enterprise-critical operations. Since ransomware needs time to replicate, assaults are usually sprung during weekends and nights, when successful penetrations typically take longer to detect. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable response team.

Progent has an assortment of support services for securing enterprises from ransomware penetrations. These include team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security solutions with machine learning technology to quickly detect and suppress day-zero cyber attacks. Progent in addition provides the assistance of veteran ransomware recovery professionals with the talent and perseverance to restore a breached system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the codes to decrypt all your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the mission-critical parts of your Information Technology environment. Without the availability of full system backups, this requires a broad complement of IT skills, top notch project management, and the willingness to work continuously until the recovery project is done.

For two decades, Progent has made available expert Information Technology services for businesses in Cleveland and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience provides Progent the ability to rapidly ascertain necessary systems and organize the remaining components of your Information Technology environment following a ransomware event and configure them into a functioning system.

Progent's recovery team of experts uses powerful project management systems to orchestrate the complicated recovery process. Progent understands the importance of acting rapidly and together with a customerís management and IT team members to assign priority to tasks and to put key systems back on line as fast as possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A business contacted Progent after their company was attacked by Ryuk ransomware virus. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little room for disruption and is among the most profitable examples of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had shut down all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately brought in Progent.


"I canít tell you enough in regards to the expertise Progent provided us throughout the most critical time of (our) businesses survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and essential servers back sooner than one week was beyond my wildest dreams. Each consultant I talked with or e-mailed at Progent was absolutely committed on getting my company operational and was working 24 by 7 to bail us out."

Progent worked together with the client to rapidly understand and assign priority to the essential systems that needed to be restored in order to continue departmental functions:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent adhered to ransomware penetration response industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the steps of restoring Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí MRP software used Microsoft SQL, which needs Active Directory for access to the data.

In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery on mission critical systems. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover mail data. A not too old off-line backup of the businesses accounting/MRP systems made them able to return these required applications back online. Although a large amount of work needed to be completed to recover totally from the Ryuk virus, essential systems were recovered rapidly:


"For the most part, the production operation ran fairly normal throughout and we produced all customer deliverables."

During the next few weeks important milestones in the restoration project were accomplished through tight collaboration between Progent consultants and the client:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Server exceeding four million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control functions were 100% recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • 90% of the user desktops were operational.

"A lot of what went on during the initial response is mostly a blur for me, but we will not forget the urgency all of the team put in to give us our company back. I have been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was a testament to your capabilities."

Conclusion
A likely business catastrophe was evaded due to hard-working experts, a broad spectrum of IT skills, and tight teamwork. Although in retrospect the ransomware virus attack detailed here would have been prevented with current security technology and ISO/IEC 27001 best practices, user education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were contributing), thank you for letting me get rested after we got past the most critical parts. Everyone did an incredible job, and if anyone is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Cleveland a variety of online monitoring and security assessment services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to uncover zero-day variants of crypto-ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and allows rapid restoration of vital files, apps and virtual machines that have become lost or corrupted due to component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to deliver web-based control and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device adds a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, optimize and debug their networking appliances such as switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that require important software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so any looming issues can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can save up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Find out more about ProSight IT Asset Management service.
For 24-Hour Cleveland Crypto Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.