Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware such as Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause havoc. Recent variants of crypto-ransomware such as Ryuk and Hermes, along with daily as yet unnamed newcomers, not only encrypt online data but also infiltrate most accessible system protection. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, this can render automatic restore operations useless and basically knocks the datacenter back to square one.

Getting back services and data after a ransomware attack becomes a sprint against the clock as the victim struggles to contain the damage and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to spread, penetrations are frequently sprung at night, when penetrations may take longer to discover. This multiplies the difficulty of rapidly mobilizing and coordinating a qualified mitigation team.

Progent has a variety of support services for securing organizations from crypto-ransomware events. These include staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence capabilities to automatically detect and quarantine day-zero cyber threats. Progent also provides the services of experienced crypto-ransomware recovery engineers with the track record and commitment to rebuild a compromised environment as soon as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed codes to decipher any of your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the key parts of your Information Technology environment. Without access to full data backups, this requires a broad complement of skill sets, well-coordinated project management, and the willingness to work continuously until the recovery project is over.

For twenty years, Progent has offered professional IT services for companies in Toledo and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise gives Progent the skills to knowledgably understand critical systems and organize the remaining components of your computer network system following a ransomware event and configure them into a functioning system.

Progent's security team of experts utilizes top notch project management systems to coordinate the complicated restoration process. Progent knows the urgency of acting rapidly and in unison with a customerís management and IT staff to prioritize tasks and to put essential systems back on line as fast as possible.

Customer Case Study: A Successful Ransomware Incident Recovery
A client contacted Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, possibly using approaches leaked from Americaís National Security Agency. Ryuk goes after specific companies with limited ability to sustain operational disruption and is one of the most profitable iterations of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has about 500 workers. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (more than $200,000) and hoping for the best, but in the end brought in Progent.


"I canít speak enough in regards to the support Progent gave us throughout the most fearful time of (our) companyís survival. We most likely would have paid the cybercriminals if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and production applications back in less than a week was earth shattering. Every single expert I interacted with or messaged at Progent was totally committed on getting our system up and was working at all hours on our behalf."

Progent worked together with the client to rapidly assess and assign priority to the mission critical systems that had to be addressed to make it possible to resume business functions:

  • Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event response best practices by stopping the spread and disinfecting systems. Progent then initiated the work of recovering Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not work without Windows AD, and the client's MRP system used Microsoft SQL, which needs Active Directory services for security authorization to the database.

Within 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then completed rebuilding and hard drive recovery on the most important applications. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team workstations and laptops to recover mail messages. A recent offline backup of the customerís accounting software made it possible to restore these essential programs back on-line. Although a lot of work still had to be done to recover completely from the Ryuk event, core services were recovered quickly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer shipments."

During the following few weeks key milestones in the restoration project were made through tight collaboration between Progent team members and the client:

  • Internal web applications were restored with no loss of information.
  • The MailStore Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the desktop computers were being used by staff.

"Much of what transpired those first few days is nearly entirely a haze for me, but we will not soon forget the commitment each of your team put in to help get our business back. I have been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A probable enterprise-killing disaster was averted with hard-working professionals, a broad spectrum of technical expertise, and tight collaboration. Although in retrospect the ransomware virus incident detailed here would have been identified and blocked with advanced cyber security systems and security best practices, staff education, and well designed security procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thank you for letting me get some sleep after we made it past the most critical parts. Everyone did an incredible effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Toledo a portfolio of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize next-generation AI technology to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based AV tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to address the complete malware attack progression including blocking, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with government and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also help your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates your backup activities and enables rapid restoration of critical files, apps and virtual machines that have become unavailable or corrupted due to hardware failures, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPPA, FINRA, and PCI and, whenever necessary, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of inspection for incoming email. For outbound email, the onsite gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, optimize and troubleshoot their networking hardware such as switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating tedious network management processes, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding devices that need important updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to help keep your network running efficiently by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your assigned Progent consultant so any potential issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7 Toledo Ransomware Recovery Consulting, contact Progent at 800-993-9400 or go to Contact Progent.