Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses vulnerable to an attack. Different versions of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause destruction. More recent versions of ransomware like Ryuk and Hermes, along with more as yet unnamed viruses, not only do encryption of online information but also infiltrate many configured system protection mechanisms. Files synchronized to the cloud can also be corrupted. In a poorly designed environment, it can render any restore operations hopeless and basically sets the network back to square one.

Restoring applications and information following a crypto-ransomware event becomes a race against the clock as the targeted organization tries its best to contain and clear the virus and to resume business-critical activity. Since ransomware requires time to spread, assaults are often sprung during weekends and nights, when successful attacks tend to take longer to uncover. This compounds the difficulty of rapidly marshalling and organizing an experienced mitigation team.

Progent offers a range of help services for securing enterprises from ransomware attacks. Among these are staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with artificial intelligence capabilities to quickly identify and disable new cyber attacks. Progent also can provide the assistance of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a breached environment as quickly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the codes to decipher any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the critical elements of your Information Technology environment. Without access to complete system backups, this calls for a wide range of skill sets, top notch project management, and the capability to work 24x7 until the job is completed.

For two decades, Progent has made available expert Information Technology services for businesses in Dayton and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of experience affords Progent the capability to rapidly determine necessary systems and integrate the remaining parts of your computer network system after a ransomware event and configure them into a functioning system.

Progent's recovery team of experts deploys powerful project management applications to orchestrate the complicated restoration process. Progent understands the urgency of acting quickly and in unison with a customerís management and IT resources to prioritize tasks and to put critical systems back online as soon as possible.

Client Story: A Successful Ransomware Intrusion Restoration
A customer sought out Progent after their company was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, possibly using approaches leaked from Americaís National Security Agency. Ryuk targets specific companies with little tolerance for operational disruption and is among the most profitable instances of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area and has about 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for good luck, but in the end utilized Progent.


"I cannot thank you enough about the support Progent gave us during the most stressful time of (our) companyís life. We would have paid the Hackers if it wasnít for the confidence the Progent team afforded us. The fact that you could get our e-mail and important servers back online faster than seven days was beyond my wildest dreams. Every single staff member I spoke to or texted at Progent was totally committed on getting us back on-line and was working non-stop on our behalf."

Progent worked with the customer to quickly get our arms around and assign priority to the key systems that needed to be recovered to make it possible to resume departmental functions:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To get going, Progent followed AV/Malware Processes incident mitigation best practices by stopping the spread and cleaning up infected systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí accounting and MRP system leveraged SQL Server, which depends on Active Directory for security authorization to the data.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and storage recovery on mission critical servers. All Exchange data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate local OST files (Outlook Off-Line Data Files) on user PCs and laptops in order to recover mail messages. A recent offline backup of the businesses financials/MRP systems made them able to recover these vital applications back online. Although a large amount of work was left to recover totally from the Ryuk virus, essential services were recovered rapidly:


"For the most part, the production operation showed little impact and we produced all customer orders."

During the following couple of weeks critical milestones in the restoration process were made in tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Exchange Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory modules were 100% restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Most of the desktop computers were back into operation.

"So much of what went on those first few days is nearly entirely a blur for me, but we will not forget the countless hours all of the team put in to help get our business back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was a life saver."

Conclusion
A potential business-ending catastrophe was avoided with dedicated professionals, a broad array of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware virus attack detailed here should have been shut down with current security technology and ISO/IEC 27001 best practices, team education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thanks very much for allowing me to get some sleep after we got past the initial fire. All of you did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Dayton a range of online monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern AI technology to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning tools to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to automate the complete threat progression including filtering, infiltration detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent can also help your company to install and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates your backup processes and enables fast recovery of vital files, applications and VMs that have become unavailable or damaged due to hardware breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide advanced support to set up ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to deliver web-based management and world-class protection for your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of inspection for inbound email. For outgoing email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their networking hardware like routers, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding devices that require important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT staff and your assigned Progent consultant so that all potential problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Dayton 24x7 Crypto-Ransomware Cleanup Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.