Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level danger for organizations vulnerable to an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more as yet unnamed viruses, not only encrypt on-line information but also infect all accessible system restores and backups. Information synched to cloud environments can also be corrupted. In a poorly designed system, this can make automatic restore operations hopeless and effectively sets the datacenter back to square one.

Getting back on-line services and information following a ransomware attack becomes a sprint against the clock as the victim fights to contain and clear the ransomware and to restore enterprise-critical operations. Since ransomware requires time to replicate, assaults are frequently sprung on weekends, when successful attacks in many cases take more time to identify. This compounds the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent provides a range of support services for securing businesses from ransomware penetrations. Among these are user education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with machine learning capabilities to quickly detect and extinguish new threats. Progent in addition offers the services of expert ransomware recovery professionals with the skills and commitment to restore a breached environment as soon as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed codes to decipher all your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the key parts of your IT environment. Without access to complete information backups, this requires a wide range of skill sets, well-coordinated team management, and the willingness to work non-stop until the recovery project is completed.

For two decades, Progent has made available certified expert Information Technology services for companies in Lower Manhattan and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise provides Progent the ability to quickly determine necessary systems and consolidate the surviving parts of your network environment following a ransomware penetration and assemble them into an operational network.

Progent's security team has best of breed project management applications to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and together with a customerís management and IT team members to assign priority to tasks and to get the most important systems back on line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business hired Progent after their organization was attacked by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored hackers, suspected of using techniques exposed from the United States National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is one of the most lucrative incarnations of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with about 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end utilized Progent.


"I cannot speak enough in regards to the care Progent provided us throughout the most stressful period of (our) companyís life. We would have paid the Hackers if not for the confidence the Progent group afforded us. That you could get our e-mail and production applications back online in less than 1 week was beyond my wildest dreams. Every single person I interacted with or messaged at Progent was amazingly focused on getting us back online and was working day and night to bail us out."

Progent worked with the customer to rapidly determine and prioritize the mission critical services that needed to be restored to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware penetration mitigation industry best practices by isolating and removing active viruses. Progent then started the task of recovering Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businessesí MRP applications leveraged SQL Server, which requires Windows AD for authentication to the data.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of key servers. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on various workstations and laptops to recover email data. A recent off-line backup of the customerís manufacturing systems made them able to recover these essential programs back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, critical systems were returned to operations quickly:


"For the most part, the production line operation showed little impact and we delivered all customer sales."

Throughout the next month important milestones in the recovery project were completed through tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Exchange Server with over 4 million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control modules were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Most of the desktop computers were operational.

"So much of what occurred in the early hours is nearly entirely a fog for me, but our team will not forget the commitment each of your team put in to help get our company back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This situation was a Herculean accomplishment."

Conclusion
A potential enterprise-killing catastrophe was dodged with top-tier professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware virus incident described here could have been identified and prevented with current cyber security solutions and security best practices, staff training, and properly executed security procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has a proven track record in crypto-ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for letting me get some sleep after we got past the first week. Everyone did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Lower Manhattan a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services include next-generation AI technology to uncover new variants of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to automate the complete malware attack progression including protection, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's unique needs and that helps you prove compliance with government and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also help you to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital data, apps and VMs that have become lost or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security vendors to deliver web-based management and world-class protection for your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of analysis for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, enhance and troubleshoot their networking appliances like routers, firewalls, and load balancers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating complex management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating appliances that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT staff and your Progent engineering consultant so that any looming issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Lower Manhattan 24-Hour Ransomware Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.