Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses unprepared for an assault. Different versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus more as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate most accessible system restores and backups. Files replicated to the cloud can also be ransomed. In a poorly designed system, this can make any recovery hopeless and effectively knocks the datacenter back to square one.

Retrieving programs and information after a ransomware outage becomes a sprint against the clock as the victim struggles to stop lateral movement and remove the ransomware and to restore mission-critical activity. Since ransomware requires time to move laterally, penetrations are usually launched during nights and weekends, when attacks typically take longer to notice. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced response team.

Progent provides a range of services for securing enterprises from ransomware attacks. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning capabilities to rapidly discover and disable new cyber threats. Progent in addition provides the services of experienced crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the needed keys to decipher any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the vital elements of your Information Technology environment. Absent the availability of essential data backups, this calls for a broad complement of skills, well-coordinated project management, and the ability to work 24x7 until the job is complete.

For two decades, Progent has made available professional IT services for businesses in Montgomery and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise provides Progent the capability to quickly understand critical systems and organize the surviving components of your IT environment following a crypto-ransomware attack and assemble them into an operational network.

Progent's ransomware team of experts utilizes state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the urgency of working rapidly and together with a client's management and IT team members to prioritize tasks and to put the most important services back on line as fast as humanly possible.

Case Study: A Successful Ransomware Penetration Restoration
A small business escalated to Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored hackers, suspected of using techniques exposed from the United States National Security Agency. Ryuk seeks specific organizations with little or no tolerance for operational disruption and is among the most profitable iterations of ransomware malware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. Most of the client's backups had been online at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and praying for good luck, but in the end brought in Progent.


"I canít say enough about the expertise Progent provided us during the most fearful period of (our) businesses existence. We would have paid the cybercriminals if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and important applications back on-line sooner than 1 week was amazing. Every single expert I got help from or messaged at Progent was absolutely committed on getting us back online and was working all day and night to bail us out."

Progent worked together with the customer to quickly determine and prioritize the critical applications that needed to be addressed in order to resume company functions:

  • Active Directory (AD)
  • E-Mail
  • Financials/MRP
To begin, Progent followed ransomware penetration response best practices by halting lateral movement and clearing infected systems. Progent then initiated the task of rebuilding Windows Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís financials and MRP system utilized SQL Server, which requires Active Directory services for security authorization to the databases.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery of mission critical applications. All Exchange data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find intact OST files (Outlook Offline Data Files) on staff desktop computers in order to recover email information. A recent offline backup of the client's financials/ERP systems made it possible to restore these vital programs back online for users. Although significant work was left to recover totally from the Ryuk event, critical services were returned to operations quickly:


"For the most part, the production operation was never shut down and we delivered all customer deliverables."

Throughout the following couple of weeks key milestones in the recovery process were accomplished in close cooperation between Progent team members and the customer:

  • Internal web applications were restored without losing any information.
  • The MailStore Server with over 4 million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control capabilities were completely operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Nearly all of the desktop computers were back into operation.

"A lot of what occurred in the early hours is mostly a haze for me, but our team will not forget the countless hours each and every one of the team accomplished to help get our company back. I have trusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered as promised. This situation was a life saver."

Conclusion
A likely business-killing disaster was evaded due to dedicated professionals, a broad array of knowledge, and close collaboration. Although in post mortem the crypto-ransomware penetration detailed here could have been identified and disabled with current cyber security systems and security best practices, user training, and well thought out incident response procedures for data protection and proper patching controls, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get some sleep after we made it over the initial fire. All of you did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Montgomery a variety of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of crypto-ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based AV products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to address the entire threat progression including filtering, detection, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable and fully managed service for secure backup/disaster recovery. For a low monthly cost, ProSight DPS automates and monitors your backup processes and allows fast restoration of critical files, applications and virtual machines that have become unavailable or damaged due to component failures, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can provide world-class support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to restore your business-critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security vendors to deliver web-based control and comprehensive security for your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of inspection for inbound email. For outgoing email, the onsite gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map, track, enhance and debug their networking hardware like switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when problems are detected. By automating time-consuming network management activities, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating appliances that need critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to help keep your network operating at peak levels by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so that any potential issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hosting environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.
For Montgomery 24/7 Ransomware Repair Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.