Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an existential threat for businesses poorly prepared for an attack. Different iterations of crypto-ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to cause destruction. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as additional as yet unnamed newcomers, not only encrypt on-line files but also infect all available system restores and backups. Files synchronized to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make any recovery hopeless and effectively sets the network back to zero.

Getting back online services and data following a ransomware attack becomes a race against time as the victim struggles to stop lateral movement and eradicate the virus and to resume mission-critical activity. Because crypto-ransomware needs time to move laterally, assaults are often sprung at night, when successful penetrations are likely to take longer to identify. This compounds the difficulty of quickly assembling and orchestrating an experienced mitigation team.

Progent has an assortment of services for protecting organizations from ransomware attacks. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with artificial intelligence capabilities to intelligently discover and disable new cyber threats. Progent in addition provides the services of experienced ransomware recovery engineers with the track record and perseverance to reconstruct a breached environment as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not guarantee that merciless criminals will provide the keys to decipher any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the mission-critical elements of your IT environment. Without access to essential information backups, this requires a broad range of skill sets, well-coordinated team management, and the capability to work non-stop until the recovery project is finished.

For two decades, Progent has provided expert Information Technology services for companies in Columbus and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to quickly determine critical systems and re-organize the remaining pieces of your Information Technology system after a ransomware event and rebuild them into an operational network.

Progent's ransomware group has best of breed project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and in concert with a client's management and IT resources to prioritize tasks and to get the most important applications back on line as soon as humanly possible.

Case Study: A Successful Ransomware Attack Recovery
A client contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state criminal gangs, suspected of adopting strategies exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain operational disruption and is among the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has about 500 employees. The Ryuk event had shut down all company operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but in the end brought in Progent.


"I cannot tell you enough about the help Progent provided us throughout the most fearful period of (our) companyís survival. We would have paid the cyber criminals if not for the confidence the Progent experts afforded us. That you were able to get our e-mail system and important servers back online quicker than 1 week was earth shattering. Every single staff member I talked with or texted at Progent was laser focused on getting us operational and was working day and night to bail us out."

Progent worked hand in hand the client to rapidly identify and assign priority to the mission critical areas that needed to be addressed to make it possible to resume departmental functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the steps of rebuilding Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange email will not operate without Active Directory, and the businessesí MRP system used Microsoft SQL Server, which depends on Windows AD for authentication to the data.

In less than 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery on needed systems. All Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover email messages. A recent off-line backup of the customerís accounting software made it possible to return these required programs back online. Although major work was left to recover fully from the Ryuk damage, the most important services were returned to operations quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer sales."

During the next few weeks important milestones in the restoration project were made in tight collaboration between Progent engineers and the customer:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Server exceeding 4 million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100 percent restored.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the user workstations were operational.

"A lot of what went on those first few days is nearly entirely a haze for me, but my management will not soon forget the urgency all of your team put in to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and each time Progent has shined and delivered as promised. This event was a stunning achievement."

Conclusion
A potential business-ending disaster was avoided through the efforts of dedicated professionals, a broad array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack detailed here should have been identified and blocked with advanced security technology and NIST Cybersecurity Framework best practices, user education, and appropriate security procedures for information protection and applying software patches, the fact remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thank you for letting me get some sleep after we made it through the initial push. Everyone did an incredible effort, and if any of your team is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Columbus a variety of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services include modern AI technology to detect new variants of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to manage the entire malware attack progression including protection, detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. For a low monthly price, ProSight DPS automates your backup processes and enables rapid recovery of vital files, applications and VMs that have become lost or damaged due to component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to provide centralized control and world-class security for all your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map, track, enhance and debug their connectivity appliances such as routers and switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating time-consuming management processes, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding devices that require important updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that all potential issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7 Columbus Crypto Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.