Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that represents an existential threat for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict harm. Modern versions of crypto-ransomware like Ryuk and Hermes, as well as daily as yet unnamed viruses, not only do encryption of online information but also infiltrate any configured system backups. Information synchronized to cloud environments can also be corrupted. In a poorly architected system, it can render any restoration useless and effectively knocks the network back to square one.

Restoring services and data after a ransomware attack becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement and cleanup the ransomware and to resume mission-critical operations. Since ransomware takes time to replicate, penetrations are usually launched during nights and weekends, when successful attacks tend to take more time to detect. This compounds the difficulty of quickly marshalling and organizing an experienced mitigation team.

Progent makes available a variety of services for protecting enterprises from crypto-ransomware attacks. Among these are staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security gateways with machine learning technology to intelligently discover and quarantine new cyber threats. Progent also can provide the assistance of veteran ransomware recovery professionals with the skills and commitment to restore a compromised network as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware penetration, sending the ransom in cryptocurrency does not ensure that criminal gangs will return the codes to decipher any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the mission-critical components of your Information Technology environment. Absent the availability of full information backups, this requires a wide complement of skill sets, professional project management, and the capability to work 24x7 until the job is finished.

For two decades, Progent has provided expert IT services for companies in Salt Lake City and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify important systems and consolidate the surviving components of your Information Technology system after a crypto-ransomware event and assemble them into an operational system.

Progent's recovery team uses powerful project management applications to coordinate the sophisticated restoration process. Progent understands the importance of working rapidly and in unison with a customerís management and IT resources to prioritize tasks and to get the most important systems back on line as soon as possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A client sought out Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean government sponsored hackers, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little tolerance for operational disruption and is among the most profitable examples of crypto-ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the attack and were encrypted. The client considered paying the ransom (exceeding $200K) and hoping for the best, but in the end brought in Progent.


"I cannot tell you enough in regards to the expertise Progent provided us throughout the most critical time of (our) companyís existence. We most likely would have paid the Hackers if not for the confidence the Progent team gave us. The fact that you could get our e-mail system and essential servers back into operation sooner than a week was earth shattering. Each expert I spoke to or texted at Progent was laser focused on getting our system up and was working day and night on our behalf."

Progent worked together with the client to quickly get our arms around and assign priority to the key services that needed to be restored to make it possible to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus incident response best practices by halting the spread and clearing infected systems. Progent then initiated the steps of recovering Windows Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the customerís accounting and MRP applications used SQL Server, which needs Windows AD for access to the database.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and storage recovery on the most important systems. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Off-Line Data Files) on team PCs to recover email information. A not too old offline backup of the client's manufacturing software made it possible to restore these required programs back on-line. Although major work was left to recover totally from the Ryuk virus, the most important services were recovered rapidly:


"For the most part, the production line operation was never shut down and we made all customer deliverables."

Over the next month critical milestones in the restoration project were completed through close collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were completely operational.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the user desktops and notebooks were operational.

"So much of what was accomplished in the initial days is mostly a haze for me, but our team will not forget the urgency each and every one of you accomplished to give us our business back. Iíve been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This event was a stunning achievement."

Conclusion
A possible business-ending disaster was dodged by top-tier experts, a broad range of knowledge, and tight teamwork. Although in retrospect the crypto-ransomware virus penetration described here could have been identified and stopped with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and properly executed incident response procedures for data backup and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get some sleep after we made it over the most critical parts. Everyone did an impressive effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Salt Lake City a variety of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services include modern artificial intelligence capability to uncover new variants of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that addresses your organization's unique requirements and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical files, applications and virtual machines that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security companies to deliver web-based control and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, enhance and debug their connectivity hardware such as routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, finding devices that need critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to keep your network operating at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so all potential issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Salt Lake City 24x7 Crypto-Ransomware Removal Consultants, contact Progent at 800-993-9400 or go to Contact Progent.