Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that presents an existential threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus more unnamed newcomers, not only encrypt online files but also infect many available system backups. Information synched to the cloud can also be corrupted. In a poorly designed environment, this can render any recovery impossible and basically sets the entire system back to square one.

Restoring applications and information after a ransomware attack becomes a race against the clock as the victim struggles to contain the damage and clear the virus and to restore enterprise-critical activity. Since crypto-ransomware requires time to spread, attacks are often launched during nights and weekends, when successful penetrations in many cases take more time to notice. This compounds the difficulty of quickly marshalling and organizing a capable response team.

Progent provides an assortment of solutions for protecting organizations from crypto-ransomware events. Among these are team member training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with artificial intelligence technology to rapidly discover and disable new cyber threats. Progent in addition can provide the assistance of experienced ransomware recovery engineers with the track record and perseverance to rebuild a compromised network as quickly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decipher any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the mission-critical components of your IT environment. Without the availability of essential information backups, this requires a wide complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the task is complete.

For twenty years, Progent has provided professional IT services for companies in Dayton and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of experience gives Progent the capability to rapidly identify important systems and integrate the remaining pieces of your Information Technology system after a ransomware attack and configure them into an operational system.

Progent's security group deploys powerful project management tools to coordinate the complicated restoration process. Progent appreciates the urgency of acting rapidly and together with a customerís management and IT staff to assign priority to tasks and to get key applications back online as fast as possible.

Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A client hired Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, suspected of using algorithms exposed from the U.S. National Security Agency. Ryuk targets specific businesses with limited room for operational disruption and is one of the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with about 500 employees. The Ryuk intrusion had disabled all business operations and manufacturing processes. The majority of the client's backups had been online at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and praying for good luck, but in the end utilized Progent.


"I canít say enough about the support Progent provided us during the most stressful period of (our) companyís life. We would have paid the criminal gangs if not for the confidence the Progent group gave us. That you were able to get our e-mail system and production applications back on-line sooner than five days was incredible. Every single staff member I got help from or communicated with at Progent was urgently focused on getting us restored and was working 24 by 7 on our behalf."

Progent worked with the client to rapidly assess and prioritize the critical applications that needed to be restored to make it possible to restart business operations:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes event response industry best practices by halting the spread and removing active viruses. Progent then initiated the steps of restoring Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Active Directory, and the customerís accounting and MRP system used Microsoft SQL Server, which requires Active Directory for security authorization to the data.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then accomplished setup and storage recovery of mission critical applications. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on staff workstations and laptops in order to recover mail messages. A not too old off-line backup of the customerís financials/MRP systems made them able to return these essential applications back servicing users. Although significant work remained to recover totally from the Ryuk damage, core systems were returned to operations rapidly:


"For the most part, the manufacturing operation was never shut down and we produced all customer sales."

Over the next month important milestones in the restoration process were made in tight cooperation between Progent engineers and the customer:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were fully functional.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • 90% of the user PCs were operational.

"So much of what went on during the initial response is mostly a haze for me, but our team will not forget the countless hours each of your team put in to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A probable business extinction catastrophe was evaded with dedicated professionals, a broad array of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus incident detailed here could have been identified and stopped with advanced cyber security technology solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out incident response procedures for information protection and proper patching controls, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), Iím grateful for letting me get rested after we got over the first week. Everyone did an incredible effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Dayton a portfolio of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize next-generation AI technology to uncover new variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior analysis tools to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates your backup activities and enables fast recovery of critical data, apps and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to recover your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide web-based control and world-class protection for your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further level of inspection for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, monitor, reconfigure and debug their networking hardware like routers, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding devices that need important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management personnel and your Progent consultant so that all looming problems can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can save up to 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Dayton 24-Hour Ransomware Recovery Services, contact Progent at 800-462-8800 or go to Contact Progent.