Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of ransomware like the Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still cause harm. More recent versions of ransomware like Ryuk and Hermes, plus daily as yet unnamed newcomers, not only encrypt online data files but also infect any available system protection. Information synchronized to the cloud can also be corrupted. In a vulnerable data protection solution, this can render any recovery useless and basically knocks the entire system back to zero.

Getting back online programs and information following a ransomware intrusion becomes a sprint against the clock as the victim fights to contain the damage and eradicate the ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware requires time to replicate, attacks are usually sprung on weekends and holidays, when attacks may take longer to discover. This multiplies the difficulty of rapidly assembling and organizing an experienced response team.

Progent makes available a range of solutions for securing businesses from ransomware events. These include staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with machine learning technology to intelligently identify and extinguish new threats. Progent also offers the assistance of expert crypto-ransomware recovery consultants with the talent and commitment to restore a breached network as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the critical parts of your Information Technology environment. Absent the availability of complete data backups, this requires a wide complement of IT skills, well-coordinated team management, and the ability to work non-stop until the task is complete.

For two decades, Progent has made available expert IT services for companies in Corpus Christi and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise provides Progent the ability to knowledgably understand critical systems and organize the remaining components of your Information Technology environment following a ransomware attack and configure them into an operational system.

Progent's ransomware group uses state-of-the-art project management tools to orchestrate the complex restoration process. Progent understands the importance of working quickly and together with a customerís management and IT resources to assign priority to tasks and to put essential services back on-line as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Attack Recovery
A customer escalated to Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state criminal gangs, suspected of using techniques leaked from Americaís NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most lucrative examples of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with about 500 workers. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but ultimately called Progent.


"I canít say enough in regards to the expertise Progent gave us during the most fearful period of (our) businesses existence. We most likely would have paid the cybercriminals except for the confidence the Progent group provided us. The fact that you could get our e-mail system and critical servers back on-line in less than one week was earth shattering. Each consultant I talked with or e-mailed at Progent was amazingly focused on getting us restored and was working at all hours on our behalf."

Progent worked together with the customer to quickly identify and assign priority to the critical elements that had to be addressed in order to restart business operations:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus event mitigation best practices by halting the spread and clearing up compromised systems. Progent then started the task of rebuilding Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not work without Active Directory, and the businessesí accounting and MRP applications leveraged Microsoft SQL, which requires Active Directory for security authorization to the information.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of the most important systems. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Off-Line Folder Files) on staff PCs in order to recover email data. A not too old off-line backup of the businesses accounting software made them able to return these required programs back online. Although a large amount of work still had to be done to recover totally from the Ryuk event, core services were restored quickly:


"For the most part, the production line operation survived unscathed and we delivered all customer orders."

Over the next month key milestones in the restoration project were made through tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than 4 million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory functions were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • 90% of the user PCs were back into operation.

"A lot of what was accomplished those first few days is mostly a haze for me, but our team will not soon forget the commitment all of your team put in to give us our business back. Iíve been working with Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A potential business extinction disaster was dodged through the efforts of hard-working experts, a broad spectrum of IT skills, and close teamwork. Although in retrospect the ransomware virus penetration described here would have been identified and disabled with advanced cyber security technology and best practices, user training, and well designed incident response procedures for information backup and applying software patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we made it through the most critical parts. All of you did an impressive effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Corpus Christi a variety of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services utilize modern AI capability to uncover new strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the entire malware attack progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates and monitors your backup processes and enables fast recovery of critical files, apps and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR specialists can deliver advanced expertise to configure ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to provide web-based control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, reconfigure and debug their networking hardware such as routers, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when issues are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating devices that require critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your IT system operating efficiently by checking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT management staff and your Progent consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 Corpus Christi Ransomware Remediation Services, call Progent at 800-993-9400 or go to Contact Progent.