Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that poses an enterprise-level threat for businesses unprepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still cause havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus additional as yet unnamed viruses, not only do encryption of on-line information but also infect any accessible system restores and backups. Files synched to the cloud can also be ransomed. In a poorly designed environment, this can make any restoration impossible and basically knocks the datacenter back to square one.

Getting back online applications and information after a crypto-ransomware event becomes a race against the clock as the targeted organization fights to stop lateral movement and clear the virus and to restore business-critical activity. Due to the fact that ransomware requires time to move laterally, attacks are often launched at night, when penetrations may take more time to discover. This multiplies the difficulty of promptly marshalling and organizing an experienced response team.

Progent offers an assortment of services for protecting organizations from crypto-ransomware attacks. These include team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence technology to automatically discover and extinguish day-zero cyber threats. Progent in addition offers the services of expert ransomware recovery consultants with the skills and commitment to re-deploy a compromised network as quickly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the keys to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the critical parts of your Information Technology environment. Absent access to essential system backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work non-stop until the task is completed.

For decades, Progent has made available professional Information Technology services for companies in St. Louis and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise affords Progent the ability to efficiently understand important systems and organize the surviving parts of your IT environment after a ransomware penetration and configure them into an operational system.

Progent's recovery group uses state-of-the-art project management tools to orchestrate the complex recovery process. Progent understands the importance of acting quickly and together with a client's management and Information Technology team members to prioritize tasks and to get essential systems back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Penetration Recovery
A business sought out Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state criminal gangs, suspected of using approaches leaked from the United States National Security Agency. Ryuk goes after specific organizations with little room for operational disruption and is one of the most lucrative versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in the Chicago metro area with about 500 workers. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately called Progent.


"I canít tell you enough in regards to the help Progent gave us throughout the most fearful time of (our) companyís existence. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent group afforded us. That you could get our e-mail system and critical applications back online in less than 1 week was incredible. Every single expert I talked with or texted at Progent was laser focused on getting us restored and was working 24/7 to bail us out."

Progent worked with the customer to quickly get our arms around and prioritize the critical elements that needed to be recovered to make it possible to restart company operations:

  • Windows Active Directory
  • Email
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping the spread and clearing up compromised systems. Progent then began the work of bringing back online Microsoft Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange email will not function without Active Directory, and the client's accounting and MRP applications used SQL Server, which depends on Windows AD for access to the data.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery of the most important applications. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find local OST files (Outlook Email Off-Line Data Files) on various PCs to recover mail messages. A not too old off-line backup of the client's accounting software made them able to return these required applications back servicing users. Although significant work needed to be completed to recover totally from the Ryuk attack, the most important systems were recovered rapidly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer deliverables."

During the following month important milestones in the restoration project were achieved through close collaboration between Progent team members and the client:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were 100% operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the user PCs were functioning as before the incident.

"A huge amount of what went on in the initial days is nearly entirely a blur for me, but my team will not forget the countless hours all of you accomplished to give us our company back. Iíve been working together with Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was a stunning achievement."

Conclusion
A probable company-ending disaster was avoided with results-oriented professionals, a wide range of IT skills, and tight collaboration. Although in retrospect the crypto-ransomware virus penetration described here could have been prevented with modern security technology solutions and recognized best practices, user education, and properly executed incident response procedures for data backup and applying software patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get some sleep after we got over the initial fire. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in St. Louis a variety of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include next-generation machine learning technology to uncover zero-day variants of crypto-ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM protects local and cloud resources and provides a single platform to automate the entire threat progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you prove compliance with government and industry information security standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent can also assist you to install and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of critical data, apps and VMs that have become lost or damaged as a result of hardware failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to deliver web-based control and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of inspection for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, track, enhance and debug their networking appliances such as routers and switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that require important updates, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that any potential problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For St. Louis 24-Hour CryptoLocker Remediation Consulting, call Progent at 800-993-9400 or go to Contact Progent.