Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses unprepared for an assault. Different versions of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent unnamed viruses, not only do encryption of on-line data files but also infect any available system backups. Files replicated to the cloud can also be encrypted. In a vulnerable environment, it can make automatic restore operations useless and effectively sets the entire system back to square one.

Restoring services and data following a crypto-ransomware event becomes a race against the clock as the targeted organization tries its best to stop the spread and eradicate the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware requires time to replicate, assaults are often sprung during nights and weekends, when attacks tend to take more time to notice. This compounds the difficulty of quickly assembling and organizing a capable mitigation team.

Progent provides a variety of solutions for securing enterprises from ransomware events. Among these are team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with artificial intelligence capabilities to automatically identify and suppress new cyber attacks. Progent in addition offers the services of seasoned ransomware recovery consultants with the talent and commitment to re-deploy a compromised system as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware event, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will return the needed codes to decrypt any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the essential components of your IT environment. Without the availability of essential system backups, this requires a wide complement of IT skills, top notch project management, and the willingness to work 24x7 until the job is done.

For twenty years, Progent has provided expert IT services for businesses in Minnetonka and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience provides Progent the ability to knowledgably understand necessary systems and integrate the surviving pieces of your IT environment following a ransomware event and rebuild them into an operational system.

Progent's recovery team of experts has state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in concert with a client's management and IT team members to prioritize tasks and to put critical applications back on-line as soon as possible.

Client Case Study: A Successful Ransomware Penetration Recovery
A customer contacted Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored criminal gangs, possibly using approaches leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no tolerance for disruption and is among the most profitable examples of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago with about 500 employees. The Ryuk event had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end engaged Progent.


"I canít thank you enough in regards to the help Progent gave us throughout the most critical period of (our) companyís existence. We would have paid the cybercriminals if not for the confidence the Progent group afforded us. That you could get our messaging and production applications back into operation in less than one week was earth shattering. Every single staff member I talked with or texted at Progent was amazingly focused on getting us back online and was working non-stop on our behalf."

Progent worked together with the client to quickly understand and prioritize the key areas that had to be addressed to make it possible to resume company functions:

  • Active Directory
  • Email
  • MRP System
To begin, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and disinfecting systems. Progent then began the steps of rebuilding Microsoft AD, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the businessesí MRP system leveraged SQL Server, which needs Windows AD for authentication to the database.

Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then accomplished setup and storage recovery of essential applications. All Exchange data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Offline Data Files) on team workstations and laptops in order to recover email information. A not too old offline backup of the customerís accounting/MRP software made it possible to recover these required programs back online for users. Although a lot of work still had to be done to recover fully from the Ryuk damage, critical systems were recovered quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer orders."

Over the next month critical milestones in the restoration process were accomplished in tight collaboration between Progent engineers and the client:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Exchange Server with over four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory modules were 100% recovered.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the user desktops were being used by staff.

"A lot of what transpired those first few days is mostly a blur for me, but my management will not soon forget the commitment each of your team accomplished to give us our company back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible business-killing catastrophe was dodged through the efforts of dedicated experts, a broad array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack detailed here would have been identified and disabled with modern cyber security systems and NIST Cybersecurity Framework best practices, team training, and properly executed security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we made it through the most critical parts. All of you did an amazing job, and if any of your guys is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Minnetonka a range of remote monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services utilize modern AI capability to detect new strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and offers a single platform to manage the entire threat progression including protection, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates your backup processes and allows rapid restoration of critical files, apps and virtual machines that have become lost or damaged due to component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight DPS to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security vendors to provide centralized control and world-class security for your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and access points as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always current, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off common chores such as network mapping, expanding your network, locating appliances that require important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT personnel and your assigned Progent consultant so that any looming problems can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and organizing your IT documentation, you can save up to 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Minnetonka CryptoLocker Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.