Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an enterprise-level danger for organizations unprepared for an assault. Different versions of crypto-ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus daily unnamed viruses, not only do encryption of online critical data but also infiltrate all configured system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, it can make automated recovery hopeless and basically sets the network back to square one.

Getting back programs and data following a ransomware outage becomes a race against the clock as the victim tries its best to stop the spread and clear the ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are usually launched during nights and weekends, when successful penetrations typically take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable response team.

Progent makes available a range of support services for securing organizations from ransomware attacks. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with AI capabilities to quickly detect and disable new cyber attacks. Progent in addition offers the services of veteran crypto-ransomware recovery professionals with the skills and perseverance to restore a breached system as soon as possible.

Progent's Ransomware Restoration Services
After a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the codes to unencrypt all your information. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the critical parts of your IT environment. Without access to complete data backups, this requires a wide complement of skills, top notch project management, and the willingness to work 24x7 until the recovery project is over.

For twenty years, Progent has made available expert Information Technology services for businesses in Joinville and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded top certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly understand necessary systems and organize the surviving parts of your network environment following a crypto-ransomware attack and assemble them into a functioning system.

Progent's recovery team uses best of breed project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of acting swiftly and in concert with a client's management and IT staff to prioritize tasks and to get essential services back online as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Response
A business contacted Progent after their network system was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored cybercriminals, possibly adopting strategies leaked from Americaís NSA organization. Ryuk targets specific businesses with little or no tolerance for operational disruption and is among the most lucrative instances of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has about 500 workers. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and praying for the best, but in the end reached out to Progent.


"I canít speak enough about the support Progent gave us during the most critical time of (our) companyís survival. We may have had to pay the cybercriminals except for the confidence the Progent team provided us. That you were able to get our e-mail system and important servers back faster than one week was incredible. Each expert I interacted with or communicated with at Progent was hell bent on getting us back online and was working all day and night to bail us out."

Progent worked together with the customer to rapidly assess and assign priority to the most important systems that needed to be restored in order to restart business functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident response best practices by stopping lateral movement and clearing infected systems. Progent then initiated the task of restoring Microsoft AD, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí financials and MRP software utilized Microsoft SQL, which needs Active Directory for authentication to the databases.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery of needed applications. All Exchange ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on team desktop computers to recover email information. A not too old offline backup of the businesses accounting/MRP software made them able to recover these essential applications back available to users. Although major work still had to be done to recover completely from the Ryuk virus, critical services were recovered rapidly:


"For the most part, the production line operation survived unscathed and we produced all customer shipments."

Over the following month important milestones in the recovery process were accomplished through tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were completely functional.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the desktop computers were back into operation.

"A huge amount of what occurred during the initial response is mostly a haze for me, but we will not soon forget the commitment each of the team put in to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."

Conclusion
A likely company-ending disaster was averted due to top-tier professionals, a broad range of subject matter expertise, and close collaboration. Although in hindsight the ransomware incident described here should have been shut down with up-to-date cyber security solutions and best practices, user training, and properly executed security procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), Iím grateful for making it so I could get some sleep after we got over the initial fire. Everyone did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Joinville a range of remote monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services include modern machine learning capability to uncover new variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire malware attack progression including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your company's specific needs and that helps you prove compliance with government and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates your backup activities and enables rapid restoration of vital data, apps and VMs that have become unavailable or damaged due to component breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery consultants can provide world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to recover your critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security companies to deliver web-based management and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper layer of analysis for inbound email. For outgoing email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, reconfigure and debug their networking hardware such as switches, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that need important updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your assigned Progent consultant so any potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time wasted looking for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Joinville Crypto Repair Support Services, contact Progent at 800-993-9400 or go to Contact Progent.