Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for organizations unprepared for an assault. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict damage. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with more unnamed viruses, not only encrypt on-line data but also infect any available system backups. Data replicated to the cloud can also be ransomed. In a poorly designed data protection solution, this can render automatic restoration useless and basically knocks the datacenter back to zero.

Recovering services and information following a crypto-ransomware intrusion becomes a sprint against time as the targeted organization fights to contain the damage and eradicate the ransomware and to resume business-critical operations. Because ransomware requires time to replicate, penetrations are often launched during weekends and nights, when attacks tend to take longer to identify. This compounds the difficulty of rapidly marshalling and coordinating an experienced mitigation team.

Progent makes available an assortment of help services for securing businesses from ransomware events. These include team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with machine learning capabilities to intelligently identify and quarantine zero-day threats. Progent also provides the assistance of expert ransomware recovery consultants with the skills and commitment to reconstruct a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom in cryptocurrency does not ensure that criminal gangs will respond with the keys to unencrypt any of your data. Kaspersky determined that 17% of ransomware victims never restored their files after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the essential elements of your Information Technology environment. Absent access to essential information backups, this requires a broad range of skill sets, top notch team management, and the willingness to work 24x7 until the recovery project is completed.

For two decades, Progent has offered certified expert Information Technology services for companies in Detroit and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise provides Progent the skills to quickly determine important systems and integrate the remaining parts of your IT system following a crypto-ransomware event and rebuild them into an operational network.

Progent's recovery group uses state-of-the-art project management applications to coordinate the complicated recovery process. Progent appreciates the importance of acting quickly and together with a client's management and IT team members to assign priority to tasks and to get key applications back online as soon as possible.

Client Story: A Successful Crypto-Ransomware Attack Restoration
A small business contacted Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is among the most profitable iterations of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has around 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (more than $200K) and hoping for the best, but in the end called Progent.


"I canít tell you enough in regards to the expertise Progent provided us during the most stressful period of (our) businesses life. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our messaging and production servers back faster than a week was amazing. Every single expert I talked with or e-mailed at Progent was urgently focused on getting us back online and was working breakneck pace to bail us out."

Progent worked with the client to quickly determine and assign priority to the most important services that had to be addressed in order to resume departmental operations:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then began the process of rebuilding Windows Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the client's accounting and MRP applications utilized Microsoft SQL, which depends on Active Directory services for access to the information.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of the most important servers. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers and laptops to recover mail messages. A recent off-line backup of the client's accounting/ERP software made it possible to recover these essential programs back available to users. Although significant work remained to recover completely from the Ryuk virus, core services were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we made all customer orders."

During the following couple of weeks important milestones in the recovery project were completed in tight cooperation between Progent engineers and the customer:

  • Internal web sites were restored without losing any data.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were fully functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"Much of what was accomplished that first week is mostly a haze for me, but I will not forget the care each and every one of you put in to give us our company back. Iíve been working with Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."

Conclusion
A possible business-ending disaster was evaded due to hard-working professionals, a broad array of technical expertise, and tight collaboration. Although in post mortem the ransomware virus penetration detailed here should have been identified and stopped with advanced cyber security technology solutions and recognized best practices, user and IT administrator training, and appropriate incident response procedures for data backup and applying software patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thank you for allowing me to get rested after we made it past the initial fire. Everyone did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Detroit a variety of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include modern machine learning capability to uncover zero-day strains of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus products. ProSight ASM safeguards local and cloud resources and provides a single platform to automate the entire malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate action. Progent's consultants can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates your backup activities and enables fast restoration of vital data, apps and virtual machines that have become lost or damaged due to component failures, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver world-class support to set up ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security companies to provide centralized control and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper layer of inspection for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and displays the configuration of virtually all devices on your network, tracks performance, and sends alerts when issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that require important software patches, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system running at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT staff and your Progent engineering consultant so any looming issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect data about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can save as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about ProSight IT Asset Management service.
For Detroit 24x7 Crypto-Ransomware Cleanup Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.