Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that represents an extinction-level threat for businesses unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to inflict damage. The latest versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus daily unnamed viruses, not only encrypt on-line critical data but also infiltrate most available system backups. Information replicated to cloud environments can also be rendered useless. In a vulnerable system, it can make automated recovery impossible and basically sets the entire system back to zero.

Getting back on-line applications and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and remove the ransomware and to restore business-critical activity. Because ransomware takes time to spread, attacks are often sprung on weekends and holidays, when attacks may take longer to notice. This compounds the difficulty of quickly mobilizing and coordinating a capable mitigation team.

Progent offers an assortment of services for securing businesses from crypto-ransomware attacks. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security appliances with AI technology to automatically detect and suppress new cyber threats. Progent also provides the services of expert ransomware recovery consultants with the track record and commitment to restore a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
After a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt any of your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the vital components of your IT environment. Without the availability of essential data backups, this requires a wide range of skills, top notch team management, and the willingness to work 24x7 until the task is finished.

For twenty years, Progent has made available certified expert IT services for businesses in Phoenix and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience gives Progent the ability to rapidly understand critical systems and organize the remaining pieces of your network system following a ransomware event and configure them into an operational network.

Progent's security team utilizes best of breed project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of acting quickly and together with a customerís management and Information Technology resources to assign priority to tasks and to put key services back online as soon as humanly possible.

Client Story: A Successful Ransomware Penetration Restoration
A small business contacted Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean government sponsored hackers, possibly using approaches exposed from Americaís National Security Agency. Ryuk targets specific businesses with little tolerance for disruption and is one of the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with about 500 employees. The Ryuk penetration had disabled all company operations and manufacturing processes. The majority of the client's backups had been online at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I cannot thank you enough in regards to the help Progent gave us throughout the most critical time of (our) companyís survival. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent team gave us. The fact that you could get our messaging and critical applications back into operation quicker than seven days was earth shattering. Each expert I got help from or texted at Progent was amazingly focused on getting us back on-line and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly assess and prioritize the mission critical applications that needed to be recovered to make it possible to resume business operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by halting lateral movement and disinfecting systems. Progent then initiated the steps of restoring Windows Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without Active Directory, and the client's accounting and MRP software utilized Microsoft SQL, which depends on Windows AD for security authorization to the database.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then initiated setup and storage recovery of the most important systems. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to find local OST data files (Outlook Email Off-Line Data Files) on staff desktop computers and laptops in order to recover email information. A recent off-line backup of the customerís accounting/MRP software made it possible to return these required applications back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk virus, critical services were recovered rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer shipments."

Over the next month important milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the client:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Server exceeding four million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100% functional.
  • A new Palo Alto Networks 850 firewall was set up.
  • Most of the user desktops and notebooks were back into operation.

"Much of what transpired that first week is mostly a fog for me, but my team will not forget the dedication each of you accomplished to help get our business back. I have utilized Progent for at least 10 years, maybe more, and every time Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A probable company-ending catastrophe was averted by top-tier professionals, a wide spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here could have been identified and prevented with advanced security systems and best practices, user and IT administrator training, and well thought out security procedures for backup and proper patching controls, the reality is that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), Iím grateful for allowing me to get rested after we made it over the initial push. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Phoenix a portfolio of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate next-generation machine learning capability to uncover new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to address the complete malware attack progression including blocking, identification, containment, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and enables rapid restoration of critical data, apps and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can deliver advanced expertise to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to recover your business-critical data. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to provide web-based control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, track, optimize and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that need critical updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to help keep your IT system operating at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT management personnel and your assigned Progent consultant so that all looming issues can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7 Phoenix Crypto-Ransomware Removal Services, reach out to Progent at 800-462-8800 or go to Contact Progent.