Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an assault. Multiple generations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause havoc. Newer versions of ransomware such as Ryuk and Hermes, along with daily as yet unnamed newcomers, not only do encryption of on-line data but also infiltrate many configured system protection mechanisms. Information synchronized to the cloud can also be rendered useless. In a poorly architected environment, this can make automatic recovery useless and effectively knocks the network back to square one.

Recovering programs and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop lateral movement and cleanup the ransomware and to restore enterprise-critical activity. Since crypto-ransomware takes time to move laterally, penetrations are frequently sprung on weekends, when successful penetrations typically take more time to discover. This compounds the difficulty of quickly mobilizing and coordinating a qualified mitigation team.

Progent provides an assortment of help services for securing enterprises from crypto-ransomware attacks. These include staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security gateways with artificial intelligence technology to intelligently discover and disable day-zero threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the skills and commitment to re-deploy a breached environment as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the keys to decipher any of your information. Kaspersky estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the mission-critical elements of your Information Technology environment. Absent the availability of essential information backups, this calls for a broad range of skill sets, professional project management, and the ability to work 24x7 until the task is done.

For two decades, Progent has offered certified expert Information Technology services for companies in Raleigh and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience gives Progent the skills to efficiently determine critical systems and consolidate the remaining components of your network environment following a crypto-ransomware penetration and assemble them into a functioning system.

Progent's security team of experts utilizes powerful project management tools to coordinate the complex recovery process. Progent appreciates the urgency of acting quickly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put the most important applications back online as fast as possible.

Customer Story: A Successful Ransomware Attack Response
A customer escalated to Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, possibly adopting techniques exposed from Americaís NSA organization. Ryuk goes after specific organizations with limited tolerance for disruption and is among the most lucrative iterations of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has around 500 employees. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the attack and were encrypted. The client considered paying the ransom (in excess of $200K) and praying for the best, but ultimately reached out to Progent.


"I cannot tell you enough in regards to the care Progent gave us throughout the most critical period of (our) companyís survival. We had little choice but to pay the Hackers if not for the confidence the Progent experts provided us. That you were able to get our e-mail system and production servers back faster than five days was earth shattering. Each staff member I spoke to or e-mailed at Progent was hell bent on getting us operational and was working at all hours on our behalf."

Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the key elements that needed to be recovered in order to resume company operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent followed Anti-virus incident response best practices by stopping lateral movement and clearing up compromised systems. Progent then began the process of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange messaging will not function without Windows AD, and the customerís financials and MRP software leveraged Microsoft SQL Server, which depends on Active Directory services for security authorization to the databases.

In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then initiated setup and storage recovery on mission critical servers. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to locate local OST files (Microsoft Outlook Offline Folder Files) on various workstations and laptops to recover mail messages. A recent offline backup of the customerís financials/ERP software made it possible to recover these required applications back on-line. Although a large amount of work was left to recover fully from the Ryuk event, the most important systems were restored quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer deliverables."

During the next few weeks critical milestones in the recovery process were accomplished through tight collaboration between Progent team members and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Server with over four million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the desktops and laptops were fully operational.

"A huge amount of what transpired during the initial response is nearly entirely a fog for me, but my team will not soon forget the urgency each and every one of your team accomplished to help get our business back. Iíve utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A possible business extinction catastrophe was dodged by results-oriented professionals, a wide range of IT skills, and close collaboration. Although in retrospect the crypto-ransomware penetration described here could have been blocked with up-to-date cyber security solutions and ISO/IEC 27001 best practices, team training, and well designed incident response procedures for information protection and applying software patches, the reality is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we got over the first week. Everyone did an impressive effort, and if any of your guys is around the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Raleigh a variety of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize modern AI technology to detect new strains of ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to automate the complete threat progression including blocking, identification, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows rapid restoration of vital files, applications and VMs that have become lost or damaged due to component breakdowns, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can provide world-class expertise to configure ProSight DPS to be compliant with regulatory requirements such as HIPPA, FINRA, and PCI and, when needed, can assist you to recover your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security vendors to deliver centralized control and world-class protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, enhance and debug their networking appliances like routers, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your Progent consultant so that all looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Raleigh 24x7x365 Crypto Cleanup Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.