Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that represents an extinction-level threat for organizations unprepared for an assault. Different iterations of crypto-ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus frequent as yet unnamed newcomers, not only encrypt online data but also infiltrate all available system restores and backups. Data synched to the cloud can also be ransomed. In a poorly designed data protection solution, this can render automatic recovery useless and effectively sets the datacenter back to zero.

Getting back programs and data following a ransomware outage becomes a sprint against the clock as the targeted organization fights to stop the spread and clear the virus and to restore business-critical operations. Due to the fact that ransomware takes time to move laterally, attacks are often launched during weekends and nights, when successful attacks are likely to take more time to notice. This compounds the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.

Progent provides a range of solutions for protecting organizations from ransomware events. These include team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with machine learning capabilities from SentinelOne to identify and quarantine zero-day cyber threats intelligently. Progent also provides the assistance of seasoned crypto-ransomware recovery engineers with the skills and perseverance to restore a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
After a ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber hackers will respond with the keys to unencrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the essential components of your IT environment. Absent access to full information backups, this requires a wide range of skills, top notch team management, and the willingness to work continuously until the task is done.

For decades, Progent has made available expert Information Technology services for businesses in Florianópolis and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise affords Progent the ability to quickly identify important systems and re-organize the remaining parts of your network environment after a crypto-ransomware attack and rebuild them into an operational network.

Progent's ransomware group utilizes powerful project management tools to coordinate the complex restoration process. Progent knows the importance of acting swiftly and together with a customer's management and Information Technology resources to prioritize tasks and to put essential systems back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A business escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, possibly using approaches exposed from America's NSA organization. Ryuk seeks specific companies with limited tolerance for disruption and is one of the most profitable incarnations of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has around 500 employees. The Ryuk event had brought down all essential operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.


"I can't thank you enough in regards to the support Progent gave us throughout the most stressful period of (our) company's life. We would have paid the cyber criminals behind the attack except for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and essential servers back quicker than one week was earth shattering. Each staff member I talked with or messaged at Progent was absolutely committed on getting our company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the essential services that had to be addressed in order to resume company operations:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus incident mitigation best practices by stopping the spread and performing virus removal steps. Progent then began the steps of recovering Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange email will not work without AD, and the businesses' accounting and MRP software utilized Microsoft SQL Server, which requires Active Directory for access to the data.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery of the most important servers. All Exchange schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Offline Data Files) on team workstations and laptops in order to recover email information. A recent offline backup of the businesses accounting/MRP software made them able to return these essential applications back online. Although major work needed to be completed to recover completely from the Ryuk attack, essential systems were returned to operations quickly:


"For the most part, the assembly line operation survived unscathed and we did not miss any customer shipments."

Over the next few weeks important milestones in the restoration project were made through close cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100% operational.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the user PCs were functioning as before the incident.

"A huge amount of what transpired that first week is mostly a blur for me, but we will not forget the urgency each of the team accomplished to help get our company back. I've trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A probable business-killing disaster was averted through the efforts of results-oriented professionals, a wide range of knowledge, and close teamwork. Although in retrospect the crypto-ransomware virus penetration detailed here should have been prevented with modern cyber security technology and recognized best practices, user and IT administrator education, and properly executed security procedures for data protection and applying software patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), I'm grateful for letting me get some sleep after we made it through the most critical parts. All of you did an impressive effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Florianópolis a range of online monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services incorporate modern machine learning capability to detect zero-day strains of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to address the entire threat progression including filtering, detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you prove compliance with government and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products automate and track your data backup operations and allow non-disruptive backup and rapid restoration of important files/folders, apps, system images, plus VMs. ProSight DPS helps your business recover from data loss resulting from hardware failures, natural calamities, fire, malware such as ransomware, user error, malicious insiders, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to deliver centralized management and world-class security for your email traffic. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their networking hardware such as switches, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration of almost all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating complex management processes, WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, locating appliances that need critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT management personnel and your Progent consultant so that any potential problems can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based analysis technology to guard endpoints and servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Support Desk managed services enable your IT group to outsource Support Desk services to Progent or divide activity for support services seamlessly between your in-house network support resources and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a transparent extension of your internal support organization. User interaction with the Help Desk, provision of support, escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether incidents are taken care of by your in-house network support resources, by Progent's team, or both. Read more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your dynamic IT system. In addition to optimizing the security and reliability of your computer environment, Progent's patch management services free up time for your in-house IT staff to focus on more strategic projects and tasks that derive maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and give your password you are requested to verify your identity via a unit that only you possess and that uses a separate network channel. A broad selection of out-of-band devices can be utilized for this second means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can designate several validation devices. To learn more about ProSight Duo two-factor identity validation services, visit Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 Florianópolis Ransomware Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.