Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an extinction-level danger for businesses unprepared for an assault. Different iterations of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for years and continue to inflict destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as more as yet unnamed viruses, not only do encryption of on-line critical data but also infect most configured system protection. Data synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, it can make automated restoration hopeless and basically sets the datacenter back to zero.

Retrieving programs and data following a crypto-ransomware event becomes a race against the clock as the targeted organization tries its best to stop lateral movement and clear the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware takes time to move laterally, attacks are usually sprung on weekends and holidays, when penetrations in many cases take longer to notice. This compounds the difficulty of quickly mobilizing and orchestrating a capable mitigation team.

Progent provides a variety of solutions for securing organizations from crypto-ransomware attacks. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with machine learning capabilities to automatically discover and quarantine day-zero threats. Progent in addition provides the services of expert ransomware recovery professionals with the track record and commitment to reconstruct a breached environment as soon as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the codes to decrypt all your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to piece back together the essential components of your Information Technology environment. Without access to complete system backups, this requires a wide range of skill sets, top notch project management, and the willingness to work continuously until the task is finished.

For twenty years, Progent has offered expert Information Technology services for businesses in Appleton and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience provides Progent the capability to knowledgably determine critical systems and organize the surviving parts of your IT system following a ransomware penetration and assemble them into a functioning network.

Progent's recovery team has powerful project management applications to coordinate the complex recovery process. Progent appreciates the urgency of acting rapidly and in concert with a customerís management and IT team members to assign priority to tasks and to put essential systems back on line as soon as humanly possible.

Client Case Study: A Successful Ransomware Attack Restoration
A small business escalated to Progent after their network system was penetrated by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored hackers, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is among the most profitable incarnations of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has about 500 employees. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for good luck, but in the end made the decision to use Progent.


"I cannot speak enough in regards to the help Progent gave us during the most critical time of (our) companyís survival. We would have paid the criminal gangs if not for the confidence the Progent experts gave us. The fact that you were able to get our messaging and essential servers back on-line quicker than one week was beyond my wildest dreams. Each expert I got help from or communicated with at Progent was absolutely committed on getting us restored and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly identify and prioritize the critical applications that needed to be restored to make it possible to continue departmental functions:

  • Active Directory (AD)
  • Email
  • MRP System
To start, Progent followed ransomware penetration mitigation best practices by isolating and clearing infected systems. Progent then initiated the work of rebuilding Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange email will not function without AD, and the customerís financials and MRP applications utilized SQL Server, which depends on Active Directory for security authorization to the data.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then initiated setup and hard drive recovery on mission critical servers. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Folder Files) on staff desktop computers to recover mail information. A recent offline backup of the customerís accounting/MRP software made it possible to restore these required applications back online. Although major work still had to be done to recover completely from the Ryuk damage, essential systems were recovered quickly:


"For the most part, the manufacturing operation showed little impact and we made all customer shipments."

During the following few weeks important milestones in the restoration process were made in tight collaboration between Progent team members and the customer:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than four million historical emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100% recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the user PCs were functioning as before the incident.

"A lot of what happened that first week is mostly a blur for me, but I will not soon forget the care each of you put in to help get our business back. Iíve been working together with Progent for the past 10 years, maybe more, and every time Progent has come through and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable business extinction disaster was evaded with top-tier professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident described here should have been identified and prevented with current cyber security technology and recognized best practices, user and IT administrator education, and well designed security procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for allowing me to get some sleep after we made it past the most critical parts. Everyone did an incredible job, and if anyone is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Appleton a range of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect new variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to address the entire malware attack progression including protection, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates your backup activities and allows fast restoration of vital files, apps and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can deliver world-class support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to deliver centralized management and world-class protection for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map out, track, optimize and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating complex management activities, WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, finding devices that need important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your network operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT management staff and your Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For Appleton 24-Hour Crypto-Ransomware Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.