Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for organizations vulnerable to an assault. Versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to inflict harm. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, plus additional as yet unnamed newcomers, not only encrypt online data but also infiltrate many configured system backups. Information synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can make automatic restore operations hopeless and effectively knocks the datacenter back to zero.

Retrieving programs and information following a ransomware attack becomes a race against the clock as the victim fights to stop lateral movement and clear the ransomware and to resume business-critical operations. Because ransomware requires time to move laterally, attacks are often sprung on weekends, when successful penetrations tend to take longer to identify. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable response team.

Progent makes available an assortment of solutions for securing businesses from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with artificial intelligence technology to automatically identify and extinguish zero-day cyber threats. Progent in addition offers the services of seasoned ransomware recovery professionals with the skills and perseverance to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Recovery Help
Following a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will return the codes to decipher any of your files. Kaspersky ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the key components of your Information Technology environment. Absent the availability of full data backups, this calls for a wide complement of IT skills, top notch project management, and the capability to work 24x7 until the job is complete.

For twenty years, Progent has made available expert IT services for businesses in Raleigh and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise gives Progent the ability to knowledgably ascertain critical systems and re-organize the remaining pieces of your IT environment following a crypto-ransomware event and assemble them into an operational network.

Progent's recovery group has powerful project management systems to coordinate the complicated recovery process. Progent knows the importance of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get essential applications back online as fast as possible.

Client Story: A Successful Ransomware Penetration Restoration
A customer contacted Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean state hackers, suspected of using strategies leaked from Americaís NSA organization. Ryuk targets specific organizations with limited room for operational disruption and is among the most profitable instances of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago with around 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than $200K) and praying for good luck, but ultimately utilized Progent.


"I canít thank you enough in regards to the help Progent gave us during the most stressful time of (our) companyís survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and important servers back sooner than seven days was something I thought impossible. Every single expert I talked with or messaged at Progent was absolutely committed on getting us restored and was working day and night to bail us out."

Progent worked hand in hand the client to quickly determine and prioritize the critical applications that needed to be recovered to make it possible to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event mitigation best practices by isolating and cleaning systems of viruses. Progent then initiated the task of rebuilding Windows Active Directory, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the client's accounting and MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the information.

In less than two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery of the most important applications. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on team PCs and laptops to recover mail messages. A not too old off-line backup of the businesses manufacturing software made it possible to return these required programs back on-line. Although a large amount of work was left to recover totally from the Ryuk attack, critical systems were returned to operations rapidly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer deliverables."

Throughout the following few weeks important milestones in the restoration project were made through tight cooperation between Progent engineers and the client:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100 percent recovered.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the user PCs were fully operational.

"So much of what went on those first few days is mostly a haze for me, but my management will not forget the care all of you accomplished to give us our business back. Iíve been working with Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A probable company-ending disaster was dodged through the efforts of hard-working experts, a wide range of IT skills, and tight teamwork. Although in retrospect the crypto-ransomware incident described here should have been disabled with advanced security technology solutions and best practices, user education, and well designed security procedures for data protection and applying software patches, the fact is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thank you for making it so I could get some sleep after we made it past the most critical parts. All of you did an amazing effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Raleigh a range of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning technology to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to address the entire threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that allows you prove compliance with government and industry data protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates and monitors your backup processes and enables rapid restoration of vital files, apps and VMs that have become lost or corrupted as a result of component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can deliver world-class support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security vendors to deliver web-based control and world-class protection for your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, reconfigure and debug their connectivity appliances such as routers, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network diagrams are kept current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating devices that require important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by tracking the health of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management personnel and your Progent consultant so that any looming issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.
For Raleigh 24/7/365 Crypto Remediation Consulting, call Progent at 800-993-9400 or go to Contact Progent.