Ransomware : Your Worst IT Disaster
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and still inflict havoc. The latest strains of crypto-ransomware such as Ryuk and Hermes, plus additional unnamed viruses, not only encrypt on-line critical data but also infect many available system backups. Information synchronized to the cloud can also be ransomed. In a poorly designed data protection solution, this can render automated restore operations impossible and basically knocks the entire system back to square one.

Getting back programs and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop lateral movement and eradicate the virus and to resume mission-critical activity. Since ransomware needs time to move laterally, penetrations are frequently sprung during weekends and nights, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of rapidly mobilizing and organizing an experienced mitigation team.

Progent offers an assortment of support services for protecting organizations from ransomware attacks. Among these are team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with machine learning capabilities to automatically discover and suppress zero-day threats. Progent in addition offers the services of experienced ransomware recovery consultants with the track record and perseverance to re-deploy a breached system as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the keys to unencrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the essential components of your IT environment. Absent access to full data backups, this requires a broad range of IT skills, well-coordinated team management, and the willingness to work continuously until the task is completed.

For twenty years, Progent has provided professional IT services for businesses in Colorado Springs and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience provides Progent the ability to efficiently ascertain critical systems and integrate the surviving parts of your IT system after a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team uses top notch project management systems to coordinate the complex restoration process. Progent understands the importance of acting rapidly and together with a customerís management and IT team members to assign priority to tasks and to put essential services back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A customer hired Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly adopting strategies leaked from Americaís National Security Agency. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most lucrative examples of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately brought in Progent.


"I canít say enough in regards to the support Progent gave us during the most critical time of (our) businesses survival. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent team gave us. The fact that you could get our messaging and important servers back quicker than five days was earth shattering. Each staff member I worked with or e-mailed at Progent was amazingly focused on getting our company operational and was working 24 by 7 to bail us out."

Progent worked with the customer to quickly determine and assign priority to the essential applications that needed to be recovered to make it possible to continue company operations:

  • Active Directory (AD)
  • Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware penetration response industry best practices by stopping the spread and cleaning systems of viruses. Progent then initiated the task of recovering Microsoft Active Directory, the core of enterprise environments built on Microsoft technology. Exchange messaging will not operate without Windows AD, and the businessesí MRP software leveraged Microsoft SQL Server, which needs Active Directory for access to the information.

Within 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then performed rebuilding and storage recovery on key servers. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Data Files) on staff workstations and laptops to recover email data. A recent off-line backup of the client's accounting software made them able to restore these vital services back online. Although a large amount of work was left to recover completely from the Ryuk event, the most important services were returned to operations rapidly:


"For the most part, the production line operation did not miss a beat and we did not miss any customer sales."

Throughout the following few weeks key milestones in the restoration project were accomplished in close cooperation between Progent engineers and the client:

  • Internal web applications were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than four million historical messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were fully operational.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the user desktops were being used by staff.

"Much of what went on in the initial days is nearly entirely a fog for me, but we will not forget the urgency all of you put in to give us our business back. Iíve been working together with Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."

Conclusion
A potential company-ending disaster was evaded through the efforts of dedicated experts, a wide range of subject matter expertise, and tight collaboration. Although in retrospect the crypto-ransomware virus incident described here could have been identified and prevented with modern security solutions and recognized best practices, staff education, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for letting me get some sleep after we got past the initial push. Everyone did an impressive job, and if anyone is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Colorado Springs a variety of remote monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services include modern machine learning technology to detect new strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the complete threat progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with government and industry data protection regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and enables rapid recovery of critical data, applications and VMs that have become lost or corrupted as a result of component breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can provide advanced support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, when necessary, can help you to recover your critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to deliver web-based management and comprehensive protection for all your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a deeper layer of analysis for incoming email. For outbound email, the local gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and debug their networking hardware such as routers, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding appliances that need important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your network running at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT staff and your assigned Progent consultant so all looming problems can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can eliminate up to half of time spent trying to find critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Colorado Springs 24/7 Ransomware Repair Consultants, contact Progent at 800-993-9400 or go to Contact Progent.