Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an attack. Different versions of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause destruction. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as frequent unnamed malware, not only do encryption of online data but also infiltrate many accessible system protection. Files synched to the cloud can also be rendered useless. In a poorly architected environment, this can make automatic recovery useless and effectively sets the network back to square one.

Retrieving services and information after a crypto-ransomware attack becomes a race against the clock as the targeted business tries its best to stop lateral movement and clear the crypto-ransomware and to resume mission-critical activity. Due to the fact that ransomware takes time to move laterally, attacks are usually launched during weekends and nights, when successful penetrations tend to take longer to recognize. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable response team.

Progent provides an assortment of help services for securing businesses from crypto-ransomware attacks. These include staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security gateways with artificial intelligence technology to rapidly discover and disable zero-day cyber threats. Progent in addition offers the assistance of seasoned crypto-ransomware recovery engineers with the track record and commitment to reconstruct a breached environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to decrypt any of your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to re-install the critical parts of your Information Technology environment. Without access to full data backups, this requires a wide range of IT skills, professional project management, and the willingness to work non-stop until the job is complete.

For decades, Progent has made available professional Information Technology services for companies in Toledo and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise gives Progent the skills to quickly identify necessary systems and integrate the remaining parts of your IT environment following a ransomware attack and configure them into a functioning network.

Progent's ransomware group uses best of breed project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of acting quickly and in concert with a customerís management and IT team members to assign priority to tasks and to put essential services back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Incident Recovery
A customer engaged Progent after their network system was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state sponsored hackers, suspected of using strategies leaked from the United States NSA organization. Ryuk targets specific businesses with little ability to sustain operational disruption and is among the most profitable iterations of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago and has about 500 workers. The Ryuk event had shut down all company operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (more than $200K) and praying for the best, but in the end called Progent.


"I canít tell you enough about the expertise Progent gave us during the most stressful period of (our) companyís life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group afforded us. That you were able to get our e-mail and key servers back sooner than a week was amazing. Every single person I spoke to or messaged at Progent was urgently focused on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the customer to quickly assess and prioritize the critical elements that had to be recovered to make it possible to resume departmental functions:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To begin, Progent followed Anti-virus penetration response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the work of rebuilding Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Exchange email will not operate without AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which needs Active Directory services for security authorization to the information.

Within two days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then initiated rebuilding and storage recovery of needed applications. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Email Offline Folder Files) on staff PCs to recover mail messages. A not too old offline backup of the client's accounting/ERP software made it possible to restore these essential programs back online. Although a lot of work needed to be completed to recover totally from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the production line operation never missed a beat and we delivered all customer sales."

During the next couple of weeks critical milestones in the restoration process were accomplished through close cooperation between Progent engineers and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100% functional.
  • A new Palo Alto 850 firewall was set up.
  • Nearly all of the user desktops were operational.

"A lot of what went on that first week is nearly entirely a fog for me, but our team will not soon forget the dedication each of the team put in to give us our company back. Iíve trusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A probable enterprise-killing catastrophe was dodged by hard-working experts, a wide spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware penetration described here should have been prevented with current security technology solutions and NIST Cybersecurity Framework best practices, user training, and appropriate incident response procedures for data protection and applying software patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for allowing me to get rested after we got through the initial push. Everyone did an impressive job, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Toledo a range of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence capability to detect new variants of crypto-ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and provides a single platform to automate the complete threat lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight Data Protection Services automates your backup processes and enables fast restoration of critical data, applications and VMs that have become unavailable or corrupted due to component failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can provide world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security vendors to provide centralized control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of analysis for inbound email. For outbound email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are discovered. By automating complex network management activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding devices that need critical software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management personnel and your Progent consultant so that any potential issues can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7/365 Toledo CryptoLocker Remediation Consulting, contact Progent at 800-993-9400 or go to Contact Progent.