Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an existential threat for organizations poorly prepared for an attack. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus additional as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate most available system protection. Information synchronized to cloud environments can also be rendered useless. In a poorly designed environment, it can make automated recovery impossible and effectively knocks the network back to square one.

Retrieving services and data following a crypto-ransomware event becomes a sprint against time as the targeted organization fights to contain and clear the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to spread, attacks are frequently launched on weekends and holidays, when successful penetrations may take more time to notice. This multiplies the difficulty of rapidly marshalling and organizing an experienced mitigation team.

Progent offers a range of support services for protecting businesses from ransomware events. Among these are staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with machine learning technology to rapidly discover and quarantine zero-day cyber threats. Progent in addition offers the services of veteran crypto-ransomware recovery professionals with the talent and commitment to rebuild a compromised system as quickly as possible.

Progent's Ransomware Recovery Help
Following a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decrypt any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to re-install the vital elements of your IT environment. Absent the availability of complete system backups, this calls for a wide range of skill sets, professional project management, and the ability to work 24x7 until the recovery project is complete.

For twenty years, Progent has made available professional Information Technology services for businesses in St. Paul and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience gives Progent the capability to rapidly identify important systems and consolidate the remaining parts of your computer network system after a ransomware penetration and assemble them into an operational network.

Progent's ransomware group uses best of breed project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put essential systems back on-line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Response
A small business engaged Progent after their organization was taken over by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored hackers, possibly using techniques leaked from Americaís NSA organization. Ryuk goes after specific companies with little or no room for disruption and is among the most lucrative iterations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.


"I cannot say enough in regards to the care Progent provided us during the most fearful period of (our) businesses existence. We may have had to pay the cybercriminals if not for the confidence the Progent team provided us. That you were able to get our messaging and critical servers back online quicker than seven days was amazing. Every single expert I talked with or messaged at Progent was amazingly focused on getting our system up and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly understand and assign priority to the key services that had to be restored to make it possible to continue business operations:

  • Active Directory
  • Email
  • Financials/MRP
To get going, Progent followed ransomware penetration mitigation best practices by isolating and disinfecting systems. Progent then started the steps of restoring Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange email will not work without AD, and the businessesí financials and MRP software used Microsoft SQL Server, which needs Active Directory services for access to the database.

Within two days, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery on key servers. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Data Files) on various workstations in order to recover mail data. A recent offline backup of the client's manufacturing systems made it possible to return these essential applications back online for users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, essential services were returned to operations rapidly:


"For the most part, the assembly line operation was never shut down and we produced all customer deliverables."

Over the following month critical milestones in the restoration process were accomplished through close cooperation between Progent team members and the client:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100 percent functional.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Ninety percent of the user desktops and notebooks were fully operational.

"A huge amount of what transpired that first week is mostly a haze for me, but we will not forget the countless hours all of you put in to give us our business back. Iíve entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This event was the most impressive ever."

Conclusion
A potential company-ending catastrophe was averted by dedicated experts, a broad array of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus attack detailed here should have been blocked with advanced cyber security systems and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for letting me get some sleep after we got through the initial push. All of you did an amazing job, and if anyone is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in St. Paul a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern machine learning technology to detect zero-day variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to automate the entire malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your company's unique requirements and that allows you prove compliance with legal and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. For a low monthly rate, ProSight DPS automates your backup activities and allows rapid recovery of critical files, apps and VMs that have become lost or corrupted due to component failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's BDR specialists can provide world-class support to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver centralized management and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, track, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating complex network management activities, WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating devices that require critical updates, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT personnel and your assigned Progent consultant so that any looming problems can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For St. Paul 24-7 Crypto-Ransomware Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.