Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an existential threat for businesses of all sizes vulnerable to an assault. Different versions of ransomware such as CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to cause destruction. Recent strains of crypto-ransomware such as Ryuk and Hermes, as well as additional unnamed viruses, not only do encryption of online files but also infect any accessible system protection mechanisms. Data synchronized to the cloud can also be rendered useless. In a poorly architected data protection solution, it can make any recovery useless and basically sets the datacenter back to zero.

Restoring programs and data following a ransomware attack becomes a race against the clock as the victim tries its best to stop lateral movement and remove the ransomware and to resume mission-critical activity. Since ransomware needs time to move laterally, assaults are often launched during weekends and nights, when successful attacks in many cases take longer to detect. This compounds the difficulty of quickly assembling and coordinating an experienced response team.

Progent provides a variety of solutions for securing businesses from crypto-ransomware events. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security gateways with machine learning capabilities to rapidly identify and suppress zero-day cyber attacks. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the track record and perseverance to restore a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decrypt any or all of your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the mission-critical components of your IT environment. Without access to complete system backups, this requires a wide complement of IT skills, well-coordinated team management, and the willingness to work non-stop until the recovery project is complete.

For decades, Progent has offered expert Information Technology services for businesses in Raleigh and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience gives Progent the capability to knowledgably identify necessary systems and integrate the surviving parts of your computer network environment after a crypto-ransomware attack and rebuild them into an operational network.

Progent's ransomware team of experts uses best of breed project management applications to coordinate the complex recovery process. Progent appreciates the urgency of acting quickly and in unison with a client's management and IT team members to assign priority to tasks and to put key services back on line as soon as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A business engaged Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean state sponsored criminal gangs, suspected of using techniques leaked from Americaís National Security Agency. Ryuk targets specific companies with little tolerance for disruption and is among the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area with about 500 staff members. The Ryuk event had shut down all business operations and manufacturing processes. Most of the client's information backups had been online at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (more than $200,000) and hoping for the best, but in the end engaged Progent.


"I cannot speak enough in regards to the support Progent gave us during the most fearful time of (our) businesses survival. We may have had to pay the cyber criminals except for the confidence the Progent team gave us. That you were able to get our e-mail and key applications back into operation quicker than one week was something I thought impossible. Every single staff member I worked with or e-mailed at Progent was absolutely committed on getting us operational and was working all day and night to bail us out."

Progent worked together with the customer to quickly understand and assign priority to the critical areas that needed to be addressed to make it possible to continue company operations:

  • Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent followed Anti-virus incident mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the work of rebuilding Windows Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange messaging will not operate without AD, and the businessesí financials and MRP applications used Microsoft SQL Server, which depends on Windows AD for access to the data.

Within two days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then completed reinstallations and storage recovery on the most important systems. All Microsoft Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops to recover email messages. A not too old offline backup of the businesses accounting/ERP software made them able to recover these vital applications back on-line. Although a large amount of work was left to recover fully from the Ryuk attack, critical services were restored quickly:


"For the most part, the assembly line operation did not miss a beat and we made all customer orders."

Over the next month key milestones in the recovery project were completed in close cooperation between Progent consultants and the client:

  • Self-hosted web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server exceeding four million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were completely restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the user desktops were operational.

"A lot of what occurred that first week is nearly entirely a fog for me, but we will not forget the dedication each of the team put in to give us our business back. Iíve been working together with Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable business-ending catastrophe was averted by dedicated professionals, a broad array of technical expertise, and close teamwork. Although in retrospect the crypto-ransomware penetration detailed here should have been identified and disabled with modern security solutions and security best practices, staff education, and appropriate security procedures for information protection and applying software patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for allowing me to get rested after we got through the most critical parts. Everyone did an amazing effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Raleigh a portfolio of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services include next-generation machine learning technology to detect new variants of crypto-ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to automate the complete threat progression including blocking, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical files, applications and VMs that have become unavailable or damaged as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to deliver centralized control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, enhance and debug their networking appliances such as switches, firewalls, and access points plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need important updates, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network operating efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so all looming issues can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Raleigh Ransomware Recovery Experts, contact Progent at 800-993-9400 or go to Contact Progent.