Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an existential threat for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause havoc. Newer versions of crypto-ransomware such as Ryuk and Hermes, plus daily unnamed malware, not only do encryption of on-line data files but also infect most configured system restores and backups. Information synchronized to the cloud can also be rendered useless. In a poorly architected data protection solution, this can render automatic recovery impossible and basically sets the datacenter back to square one.

Retrieving services and information following a ransomware attack becomes a race against the clock as the targeted organization tries its best to contain and remove the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware takes time to replicate, penetrations are usually sprung during nights and weekends, when attacks are likely to take longer to uncover. This multiplies the difficulty of promptly assembling and organizing a qualified mitigation team.

Progent provides a variety of help services for protecting enterprises from crypto-ransomware attacks. Among these are team education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with artificial intelligence capabilities to quickly detect and quarantine zero-day cyber attacks. Progent also offers the services of veteran ransomware recovery professionals with the talent and perseverance to restore a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the codes to unencrypt any of your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the key elements of your IT environment. Without access to complete system backups, this requires a wide range of IT skills, top notch project management, and the capability to work continuously until the job is complete.

For twenty years, Progent has provided expert IT services for companies in Phoenix and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to rapidly ascertain necessary systems and consolidate the remaining components of your IT system after a ransomware penetration and assemble them into a functioning system.

Progent's ransomware group utilizes best of breed project management applications to coordinate the complicated restoration process. Progent understands the urgency of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put key systems back online as soon as possible.

Case Study: A Successful Ransomware Incident Recovery
A business sought out Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state sponsored cybercriminals, possibly adopting approaches leaked from Americaís National Security Agency. Ryuk goes after specific organizations with limited tolerance for disruption and is one of the most profitable versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with about 500 employees. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the attack and were damaged. The client was evaluating paying the ransom demand (more than $200K) and hoping for the best, but in the end made the decision to use Progent.


"I canít tell you enough in regards to the care Progent gave us throughout the most fearful time of (our) businesses survival. We would have paid the hackers behind this attack except for the confidence the Progent group gave us. That you could get our e-mail system and essential servers back online in less than a week was incredible. Every single staff member I spoke to or texted at Progent was totally committed on getting our system up and was working breakneck pace on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the critical areas that needed to be restored in order to continue departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent followed Anti-virus event response industry best practices by halting the spread and clearing up compromised systems. Progent then began the task of recovering Microsoft AD, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the customerís financials and MRP applications leveraged Microsoft SQL, which needs Windows AD for access to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery on mission critical servers. All Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Offline Folder Files) on user desktop computers in order to recover email messages. A recent offline backup of the client's financials/MRP systems made it possible to recover these required services back servicing users. Although a large amount of work was left to recover totally from the Ryuk damage, core systems were recovered quickly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer shipments."

Throughout the following couple of weeks critical milestones in the recovery process were achieved through close collaboration between Progent consultants and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than 4 million historical messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory Control modules were fully operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the desktops and laptops were being used by staff.

"A lot of what transpired during the initial response is nearly entirely a fog for me, but my team will not soon forget the care each of you put in to help get our company back. Iíve been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A likely business-killing catastrophe was avoided due to top-tier professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although in retrospect the ransomware virus penetration described here would have been identified and disabled with modern security technology solutions and security best practices, user and IT administrator education, and appropriate incident response procedures for information backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for letting me get rested after we got over the most critical parts. Everyone did an impressive job, and if anyone is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Phoenix a range of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover zero-day variants of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to automate the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and allows fast restoration of vital files, apps and virtual machines that have become lost or damaged due to component failures, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can help you to recover your business-critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver centralized management and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a further layer of analysis for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, track, reconfigure and troubleshoot their networking appliances like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding devices that need important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT staff and your Progent consultant so that all looming issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your IT documentation, you can save up to half of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Phoenix Crypto Cleanup Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.