Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for businesses of all sizes unprepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus additional as yet unnamed viruses, not only encrypt on-line data but also infiltrate many configured system protection. Information synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, this can render any restoration impossible and basically sets the datacenter back to square one.

Restoring applications and data following a ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain the damage and eradicate the virus and to restore business-critical operations. Since ransomware takes time to move laterally, penetrations are often sprung during weekends and nights, when successful attacks in many cases take longer to discover. This compounds the difficulty of rapidly mobilizing and coordinating an experienced response team.

Progent provides a variety of solutions for securing businesses from ransomware events. Among these are staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security gateways with artificial intelligence capabilities to quickly detect and quarantine new threats. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery consultants with the track record and commitment to re-deploy a compromised environment as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the needed keys to decipher any of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the mission-critical elements of your IT environment. Absent the availability of essential system backups, this requires a wide range of IT skills, well-coordinated team management, and the willingness to work continuously until the recovery project is over.

For decades, Progent has made available expert IT services for businesses in Charlotte and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise provides Progent the capability to quickly identify critical systems and consolidate the surviving parts of your Information Technology system following a ransomware attack and configure them into a functioning network.

Progent's recovery team deploys state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put the most important applications back online as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business sought out Progent after their network was attacked by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored hackers, possibly adopting strategies exposed from Americaís National Security Agency. Ryuk seeks specific organizations with little room for disruption and is among the most profitable incarnations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has about 500 workers. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of $200K) and praying for good luck, but in the end brought in Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most critical time of (our) businesses existence. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent team provided us. The fact that you were able to get our e-mail and essential applications back online faster than a week was earth shattering. Every single person I got help from or e-mailed at Progent was laser focused on getting us back online and was working all day and night to bail us out."

Progent worked with the customer to quickly determine and prioritize the essential systems that needed to be recovered in order to restart company operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus penetration response industry best practices by halting lateral movement and performing virus removal steps. Progent then began the work of rebuilding Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí accounting and MRP applications used Microsoft SQL, which requires Windows AD for authentication to the databases.

In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery on the most important servers. All Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Data Files) on staff desktop computers to recover mail information. A not too old offline backup of the client's financials/MRP systems made them able to recover these vital services back online. Although major work remained to recover completely from the Ryuk attack, critical services were returned to operations rapidly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer deliverables."

Over the following month important milestones in the restoration project were completed in close collaboration between Progent team members and the customer:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were fully functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user PCs were being used by staff.

"A lot of what was accomplished those first few days is mostly a fog for me, but my management will not forget the care all of you put in to give us our business back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A possible company-ending catastrophe was avoided through the efforts of results-oriented professionals, a broad range of technical expertise, and tight collaboration. Although in hindsight the ransomware attack detailed here could have been identified and blocked with up-to-date cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for data protection and applying software patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of professionals has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for making it so I could get rested after we got through the most critical parts. All of you did an incredible effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Charlotte a range of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize modern AI capability to uncover zero-day variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape traditional signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to address the entire malware attack lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also help you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost end-to-end service for secure backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables rapid restoration of vital files, apps and VMs that have become lost or damaged due to component breakdowns, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can assist you to restore your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external threats and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, enhance and troubleshoot their connectivity appliances like switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration of almost all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating complex network management activities, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding devices that require important updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so all potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to a different hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7 Charlotte CryptoLocker Remediation Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.