Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as frequent unnamed viruses, not only encrypt online files but also infiltrate all configured system protection. Data synched to the cloud can also be corrupted. In a poorly designed environment, this can render any recovery impossible and effectively knocks the entire system back to zero.

Restoring applications and data following a ransomware outage becomes a race against time as the targeted business fights to stop lateral movement and cleanup the virus and to restore enterprise-critical activity. Because crypto-ransomware needs time to spread, attacks are frequently launched at night, when successful penetrations typically take longer to recognize. This compounds the difficulty of rapidly assembling and orchestrating an experienced response team.

Progent makes available an assortment of services for protecting organizations from ransomware events. These include user education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with AI capabilities to intelligently discover and extinguish new cyber attacks. Progent also provides the assistance of experienced crypto-ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Restoration Help
Following a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the codes to decrypt any of your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the vital elements of your Information Technology environment. Absent the availability of complete system backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work non-stop until the task is done.

For two decades, Progent has provided expert IT services for businesses in Phoenix and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently ascertain important systems and organize the surviving parts of your network system after a ransomware attack and rebuild them into an operational system.

Progent's security team of experts has state-of-the-art project management tools to coordinate the complicated recovery process. Progent understands the urgency of working quickly and in unison with a customerís management and IT staff to assign priority to tasks and to get essential services back on line as soon as possible.

Client Story: A Successful Crypto-Ransomware Intrusion Restoration
A business contacted Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean government sponsored hackers, suspected of using approaches leaked from the United States National Security Agency. Ryuk attacks specific organizations with little tolerance for disruption and is among the most lucrative versions of ransomware viruses. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has about 500 workers. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (more than $200K) and hoping for good luck, but ultimately utilized Progent.


"I cannot speak enough in regards to the expertise Progent provided us during the most stressful period of (our) businesses life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group provided us. The fact that you could get our e-mail system and essential servers back into operation sooner than one week was earth shattering. Every single consultant I worked with or e-mailed at Progent was absolutely committed on getting our system up and was working non-stop on our behalf."

Progent worked together with the customer to quickly assess and prioritize the key applications that needed to be restored to make it possible to continue company operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent followed ransomware penetration response best practices by stopping the spread and removing active viruses. Progent then began the process of restoring Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís MRP software leveraged Microsoft SQL Server, which requires Active Directory for authentication to the information.

Within two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery on critical applications. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find local OST data files (Microsoft Outlook Off-Line Data Files) on staff PCs and laptops in order to recover mail data. A recent off-line backup of the businesses accounting software made it possible to restore these essential services back online. Although a large amount of work still had to be done to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."

Over the following few weeks key milestones in the restoration project were achieved in tight cooperation between Progent team members and the client:

  • Self-hosted web sites were returned to operation with no loss of data.
  • The MailStore Server containing more than 4 million historical messages was brought on-line and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were 100% operational.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops were back into operation.

"So much of what transpired that first week is nearly entirely a blur for me, but my management will not soon forget the countless hours each of your team put in to help get our business back. Iíve been working together with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was a stunning achievement."

Conclusion
A potential business extinction catastrophe was evaded with top-tier professionals, a broad spectrum of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here should have been shut down with up-to-date cyber security systems and security best practices, staff education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get some sleep after we got past the first week. All of you did an impressive job, and if any of your guys is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Phoenix a range of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation AI technology to detect zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and provides a single platform to address the entire threat progression including protection, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools packaged within one agent managed from a unified console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly cost, ProSight DPS automates your backup activities and allows fast restoration of vital data, apps and virtual machines that have become lost or damaged as a result of component failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can deliver world-class expertise to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your business-critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to provide centralized control and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, enhance and debug their networking appliances such as routers and switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating devices that require important updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT staff and your Progent consultant so any looming issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and managing your network documentation, you can save up to half of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Phoenix 24-7 Crypto-Ransomware Removal Help, call Progent at 800-993-9400 or go to Contact Progent.