Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an existential threat for organizations vulnerable to an attack. Multiple generations of crypto-ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and still inflict harm. Newer strains of ransomware like Ryuk and Hermes, as well as frequent as yet unnamed viruses, not only encrypt online data files but also infect many available system protection mechanisms. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, this can render any restoration impossible and effectively sets the network back to zero.

Getting back services and data following a crypto-ransomware intrusion becomes a race against the clock as the targeted organization struggles to contain the damage and clear the ransomware and to resume mission-critical activity. Since crypto-ransomware requires time to replicate, assaults are frequently sprung during weekends and nights, when attacks typically take more time to discover. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.

Progent provides an assortment of support services for protecting businesses from ransomware attacks. These include team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with AI technology to intelligently discover and disable zero-day threats. Progent also can provide the assistance of seasoned ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the vital components of your IT environment. Absent the availability of essential system backups, this calls for a broad range of skills, professional project management, and the willingness to work non-stop until the task is completed.

For decades, Progent has provided professional IT services for companies in St. Paul and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience provides Progent the ability to efficiently ascertain important systems and re-organize the remaining pieces of your network environment following a ransomware event and configure them into a functioning system.

Progent's ransomware group has top notch project management systems to orchestrate the complicated recovery process. Progent understands the importance of acting swiftly and in unison with a client's management and IT staff to prioritize tasks and to put key systems back online as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business contacted Progent after their company was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, suspected of adopting technology exposed from the United States National Security Agency. Ryuk attacks specific organizations with little room for operational disruption and is among the most profitable examples of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has around 500 employees. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data backups had been online at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for the best, but ultimately engaged Progent.


"I canít tell you enough in regards to the expertise Progent provided us throughout the most stressful period of (our) companyís life. We would have paid the cyber criminals if not for the confidence the Progent team afforded us. That you were able to get our e-mail and production applications back online faster than seven days was beyond my wildest dreams. Each consultant I talked with or e-mailed at Progent was absolutely committed on getting us back online and was working non-stop on our behalf."

Progent worked with the client to quickly understand and assign priority to the critical elements that had to be restored to make it possible to continue company operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • MRP System
To start, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the task of restoring Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not function without Active Directory, and the client's accounting and MRP software leveraged Microsoft SQL Server, which needs Windows AD for access to the databases.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then initiated setup and hard drive recovery on key applications. All Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Data Files) on team desktop computers and laptops in order to recover email messages. A not too old offline backup of the businesses financials/ERP systems made them able to return these required applications back online. Although a lot of work still had to be done to recover completely from the Ryuk virus, essential services were recovered quickly:


"For the most part, the production operation was never shut down and we produced all customer shipments."

Over the following few weeks important milestones in the restoration process were achieved in close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were fully operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the user workstations were being used by staff.

"A huge amount of what happened those first few days is nearly entirely a fog for me, but my team will not forget the dedication each and every one of the team accomplished to give us our company back. I have been working with Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible business extinction disaster was avoided by hard-working professionals, a wide range of knowledge, and close collaboration. Although in post mortem the ransomware virus incident detailed here could have been shut down with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, team training, and appropriate security procedures for information backup and applying software patches, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for making it so I could get some sleep after we made it through the initial fire. All of you did an fabulous job, and if anyone is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in St. Paul a range of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-matching AV products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to manage the entire threat progression including blocking, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a unified control. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with government and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables fast restoration of vital files, applications and virtual machines that have become lost or damaged as a result of component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security vendors to deliver centralized control and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, monitor, optimize and debug their networking hardware like routers, firewalls, and access points plus servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating devices that need important updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by checking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so all looming issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about ProSight IT Asset Management service.
For St. Paul 24/7/365 Ransomware Cleanup Help, reach out to Progent at 800-993-9400 or go to Contact Progent.