Ransomware : Your Worst IT Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses vulnerable to an attack. Multiple generations of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to cause harm. Recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, plus frequent unnamed viruses, not only do encryption of online information but also infiltrate any available system restores and backups. Information synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, this can make automatic recovery useless and basically knocks the network back to zero.

Retrieving services and data following a ransomware outage becomes a sprint against the clock as the targeted organization fights to contain and eradicate the crypto-ransomware and to resume mission-critical activity. Since ransomware requires time to replicate, attacks are frequently sprung on weekends and holidays, when penetrations tend to take longer to notice. This compounds the difficulty of rapidly mobilizing and orchestrating a capable response team.

Progent offers a range of support services for securing organizations from ransomware events. Among these are user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security gateways with AI capabilities to intelligently identify and suppress zero-day threats. Progent also offers the services of experienced ransomware recovery professionals with the talent and commitment to rebuild a compromised system as quickly as possible.

Progent's Ransomware Restoration Services
After a ransomware event, sending the ransom in cryptocurrency does not ensure that merciless criminals will return the needed codes to unencrypt any or all of your information. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the vital parts of your IT environment. Absent the availability of complete data backups, this calls for a broad complement of IT skills, professional project management, and the willingness to work 24x7 until the job is over.

For twenty years, Progent has made available expert Information Technology services for companies in Houston and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the capability to efficiently understand important systems and organize the remaining parts of your Information Technology environment after a crypto-ransomware attack and configure them into an operational network.

Progent's recovery group has powerful project management systems to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting quickly and together with a client's management and Information Technology staff to prioritize tasks and to get key services back on-line as fast as humanly possible.

Client Case Study: A Successful Ransomware Penetration Response
A customer contacted Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, suspected of adopting approaches exposed from the United States NSA organization. Ryuk attacks specific companies with little tolerance for disruption and is one of the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's backups had been online at the time of the intrusion and were encrypted. The client considered paying the ransom (in excess of $200K) and hoping for good luck, but ultimately brought in Progent.


"I canít thank you enough about the support Progent provided us during the most fearful time of (our) companyís existence. We may have had to pay the hackers behind this attack except for the confidence the Progent experts afforded us. That you could get our e-mail and production applications back online quicker than five days was incredible. Each expert I spoke to or communicated with at Progent was absolutely committed on getting our system up and was working at all hours to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the most important elements that needed to be recovered in order to restart company operations:

  • Windows Active Directory
  • Electronic Mail
  • Accounting/MRP
To start, Progent adhered to ransomware event response best practices by halting the spread and cleaning up infected systems. Progent then began the process of restoring Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Active Directory, and the customerís financials and MRP software utilized SQL Server, which needs Active Directory for security authorization to the data.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery of critical applications. All Exchange data and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST data files (Outlook Email Off-Line Data Files) on user workstations and laptops to recover email information. A recent offline backup of the businesses accounting/ERP systems made them able to return these essential services back on-line. Although significant work still had to be done to recover totally from the Ryuk attack, core services were recovered quickly:


"For the most part, the production line operation never missed a beat and we made all customer deliverables."

Over the next month critical milestones in the recovery process were made in tight cooperation between Progent engineers and the client:

  • Internal web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over four million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the desktop computers were being used by staff.

"Much of what happened in the early hours is nearly entirely a fog for me, but my management will not soon forget the dedication each of the team accomplished to help get our business back. I have been working together with Progent for the past ten years, possibly more, and each time Progent has shined and delivered as promised. This event was a life saver."

Conclusion
A potential company-ending disaster was averted by dedicated professionals, a broad spectrum of technical expertise, and tight collaboration. Although upon completion of forensics the ransomware incident detailed here could have been prevented with current security solutions and security best practices, staff training, and well designed incident response procedures for information backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has a proven track record in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get some sleep after we got over the initial push. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Houston a portfolio of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services include modern machine learning technology to detect zero-day variants of ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight ASM protects local and cloud-based resources and offers a unified platform to address the entire threat lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates your backup activities and allows rapid restoration of critical files, applications and virtual machines that have become lost or damaged due to component failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to deliver centralized control and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of analysis for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, locating devices that require critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running efficiently by tracking the health of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that any looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and organizing your network documentation, you can eliminate up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-Hour Houston Crypto-Ransomware Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.