Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict harm. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, plus additional as yet unnamed viruses, not only do encryption of online data but also infiltrate most accessible system backup. Data synched to cloud environments can also be encrypted. In a vulnerable data protection solution, it can make any restoration impossible and basically sets the datacenter back to zero.

Getting back on-line applications and information after a ransomware outage becomes a sprint against time as the targeted organization fights to stop the spread and clear the crypto-ransomware and to resume mission-critical activity. Because ransomware needs time to move laterally, assaults are often launched during nights and weekends, when successful attacks may take more time to identify. This multiplies the difficulty of rapidly assembling and organizing a qualified response team.

Progent provides a variety of solutions for protecting businesses from ransomware attacks. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with AI technology to rapidly detect and disable day-zero threats. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the skills and perseverance to re-deploy a compromised environment as soon as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decipher all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the key elements of your IT environment. Absent the availability of full system backups, this requires a broad complement of skill sets, professional project management, and the ability to work non-stop until the task is complete.

For two decades, Progent has made available certified expert Information Technology services for companies in Milwaukee and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience affords Progent the ability to rapidly ascertain necessary systems and organize the surviving parts of your IT environment after a ransomware penetration and configure them into an operational network.

Progent's recovery team uses top notch project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting swiftly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put critical services back on-line as soon as possible.

Client Story: A Successful Ransomware Attack Recovery
A customer hired Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of using strategies leaked from the United States NSA organization. Ryuk attacks specific organizations with little or no tolerance for disruption and is one of the most lucrative versions of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.


"I canít thank you enough in regards to the care Progent provided us during the most critical time of (our) businesses survival. We had little choice but to pay the Hackers if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and essential servers back sooner than one week was amazing. Each staff member I talked with or messaged at Progent was amazingly focused on getting my company operational and was working 24/7 to bail us out."

Progent worked together with the client to rapidly identify and prioritize the essential services that needed to be recovered in order to resume departmental functions:

  • Active Directory (AD)
  • E-Mail
  • Financials/MRP
To start, Progent followed AV/Malware Processes penetration response industry best practices by halting the spread and disinfecting systems. Progent then initiated the work of rebuilding Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without AD, and the customerís accounting and MRP system leveraged Microsoft SQL, which depends on Windows AD for security authorization to the information.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery on mission critical servers. All Exchange ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Offline Data Files) on staff desktop computers to recover mail data. A not too old off-line backup of the customerís manufacturing systems made them able to recover these vital applications back on-line. Although significant work needed to be completed to recover completely from the Ryuk virus, essential systems were returned to operations quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we made all customer deliverables."

Throughout the next couple of weeks critical milestones in the restoration process were achieved in close collaboration between Progent consultants and the client:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server containing more than four million historical emails was spun up and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops were functioning as before the incident.

"A lot of what happened those first few days is mostly a fog for me, but my team will not soon forget the countless hours each and every one of your team put in to help get our company back. Iíve entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable company-ending disaster was avoided by hard-working professionals, a wide spectrum of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware incident described here could have been identified and stopped with modern cyber security solutions and recognized best practices, user and IT administrator education, and well thought out security procedures for data protection and proper patching controls, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for letting me get some sleep after we made it over the initial fire. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Milwaukee a range of online monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services include modern machine learning capability to detect new strains of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to automate the entire threat progression including filtering, identification, containment, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also assist your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates your backup processes and allows fast restoration of vital files, apps and VMs that have become unavailable or damaged as a result of component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical information. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide centralized control and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of inspection for incoming email. For outbound email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, optimize and debug their networking appliances such as switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and manages the configuration of virtually all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that need critical updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT personnel and your assigned Progent consultant so any potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Milwaukee Crypto-Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.