Ransomware : Your Worst IT Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to cause harm. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as more unnamed newcomers, not only encrypt online data but also infiltrate all available system backups. Data synched to the cloud can also be corrupted. In a poorly architected system, this can render automated recovery impossible and basically sets the network back to square one.

Restoring applications and data after a ransomware intrusion becomes a sprint against the clock as the targeted business fights to contain and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware needs time to replicate, attacks are often sprung during weekends and nights, when penetrations typically take longer to uncover. This multiplies the difficulty of promptly marshalling and organizing an experienced response team.

Progent makes available a range of solutions for securing organizations from ransomware attacks. These include team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security appliances with AI technology to rapidly detect and extinguish new cyber threats. Progent in addition offers the services of experienced ransomware recovery engineers with the talent and commitment to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Recovery Services
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the essential components of your Information Technology environment. Without the availability of essential system backups, this calls for a broad range of skills, well-coordinated project management, and the willingness to work continuously until the job is done.

For two decades, Progent has provided certified expert IT services for companies in Milwaukee and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently ascertain necessary systems and consolidate the surviving pieces of your Information Technology environment after a ransomware penetration and assemble them into an operational network.

Progent's recovery team of experts utilizes powerful project management systems to coordinate the complex restoration process. Progent knows the importance of working swiftly and in concert with a customerís management and IT resources to prioritize tasks and to put essential applications back on line as soon as humanly possible.

Case Study: A Successful Ransomware Virus Response
A business contacted Progent after their organization was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, possibly using strategies leaked from the United States National Security Agency. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with around 500 staff members. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.


"I canít tell you enough about the support Progent provided us during the most fearful time of (our) businesses life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent team gave us. That you could get our e-mail and important servers back quicker than five days was beyond my wildest dreams. Every single staff member I got help from or texted at Progent was amazingly focused on getting our company operational and was working 24/7 on our behalf."

Progent worked hand in hand the customer to quickly understand and prioritize the critical applications that needed to be addressed to make it possible to continue business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To begin, Progent followed Anti-virus penetration response industry best practices by stopping lateral movement and removing active viruses. Progent then started the steps of recovering Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the client's financials and MRP applications leveraged SQL Server, which requires Active Directory for authentication to the database.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and storage recovery of key systems. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Offline Data Files) on staff PCs to recover mail data. A recent off-line backup of the customerís accounting/MRP systems made it possible to return these required services back available to users. Although significant work remained to recover completely from the Ryuk attack, the most important services were recovered rapidly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer orders."

During the following few weeks important milestones in the restoration project were accomplished in tight cooperation between Progent team members and the customer:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server containing more than four million archived emails was spun up and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely functional.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Most of the user workstations were functioning as before the incident.

"A lot of what went on in the early hours is nearly entirely a blur for me, but we will not soon forget the care all of the team put in to give us our business back. Iíve been working together with Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A possible business extinction disaster was avoided due to dedicated experts, a wide array of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack described here would have been identified and blocked with current security systems and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for information backup and proper patching controls, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get some sleep after we got through the initial push. Everyone did an incredible job, and if any of your guys is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Milwaukee a portfolio of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services utilize modern artificial intelligence capability to detect zero-day variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior machine learning tools to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily evade legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to automate the entire threat lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device control, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables fast recovery of vital files, applications and VMs that have become unavailable or damaged due to component failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced expertise to configure ProSight DPS to to comply with regulatory requirements like HIPAA, FINRA, and PCI and, whenever needed, can assist you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security companies to deliver centralized control and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of analysis for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, track, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating devices that need important updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management staff and your assigned Progent consultant so any looming issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can eliminate up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
For Milwaukee 24/7 Crypto-Ransomware Recovery Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.