Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an enterprise-level danger for businesses vulnerable to an assault. Multiple generations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to inflict damage. More recent variants of ransomware such as Ryuk and Hermes, plus more unnamed newcomers, not only do encryption of on-line data but also infect any available system backup. Data replicated to cloud environments can also be ransomed. In a vulnerable data protection solution, it can make any restoration impossible and basically sets the datacenter back to zero.

Retrieving programs and information after a ransomware event becomes a sprint against the clock as the victim struggles to stop the spread and remove the crypto-ransomware and to resume mission-critical activity. Since ransomware requires time to replicate, penetrations are frequently launched on weekends and holidays, when attacks tend to take more time to identify. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.

Progent provides an assortment of support services for protecting businesses from ransomware attacks. These include user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with AI technology to intelligently discover and disable day-zero cyber threats. Progent in addition offers the services of seasoned ransomware recovery consultants with the skills and perseverance to restore a breached system as soon as possible.

Progent's Ransomware Recovery Support Services
After a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the needed codes to decipher any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the critical parts of your Information Technology environment. Absent access to essential system backups, this requires a wide range of skills, top notch project management, and the willingness to work 24x7 until the recovery project is finished.

For decades, Progent has provided professional IT services for businesses in Salt Lake City and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to quickly understand important systems and re-organize the surviving components of your Information Technology environment following a ransomware penetration and rebuild them into an operational network.

Progent's ransomware team of experts uses top notch project management systems to coordinate the complicated recovery process. Progent understands the urgency of working quickly and together with a customerís management and Information Technology staff to prioritize tasks and to get critical services back on line as fast as possible.

Case Study: A Successful Crypto-Ransomware Attack Recovery
A business engaged Progent after their network system was taken over by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored cybercriminals, possibly using technology exposed from the U.S. NSA organization. Ryuk attacks specific organizations with little ability to sustain disruption and is one of the most lucrative iterations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area with around 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's backups had been online at the start of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.


"I cannot say enough about the support Progent provided us during the most stressful time of (our) companyís survival. We would have paid the hackers behind this attack if not for the confidence the Progent experts provided us. That you were able to get our messaging and essential applications back on-line faster than a week was amazing. Each person I spoke to or e-mailed at Progent was laser focused on getting us operational and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly understand and prioritize the key areas that had to be restored to make it possible to resume departmental operations:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the process of recovering Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Active Directory, and the client's financials and MRP system used Microsoft SQL, which depends on Active Directory services for access to the databases.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery of critical applications. All Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to locate local OST files (Outlook Offline Data Files) on team workstations in order to recover email data. A not too old off-line backup of the client's accounting/MRP software made it possible to recover these required services back servicing users. Although significant work was left to recover totally from the Ryuk virus, the most important systems were recovered quickly:


"For the most part, the manufacturing operation showed little impact and we made all customer orders."

Throughout the next couple of weeks important milestones in the restoration project were made through tight collaboration between Progent team members and the client:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were completely recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Most of the desktops and laptops were being used by staff.

"Much of what went on during the initial response is nearly entirely a haze for me, but we will not soon forget the countless hours all of you put in to give us our company back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has come through and delivered. This event was a Herculean accomplishment."

Conclusion
A probable business extinction disaster was dodged with results-oriented experts, a wide range of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus incident described here would have been identified and prevented with current cyber security solutions and ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get rested after we made it through the initial push. All of you did an incredible effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Salt Lake City a range of remote monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services incorporate modern artificial intelligence capability to detect zero-day strains of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the complete threat progression including blocking, identification, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry data security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of critical files, apps and virtual machines that have become unavailable or damaged as a result of component breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can provide world-class expertise to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive protection for your email traffic. The powerful structure of Email Guard combines cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further level of analysis for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and debug their connectivity hardware like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that require important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management personnel and your assigned Progent consultant so that any looming problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Salt Lake City Crypto Remediation Consulting, call Progent at 800-993-9400 or go to Contact Progent.