Ransomware : Your Feared IT Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses unprepared for an attack. Multiple generations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and still inflict destruction. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional as yet unnamed malware, not only do encryption of online data files but also infect any available system restores and backups. Information synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, it can make automatic restoration impossible and basically sets the datacenter back to square one.

Getting back online programs and data after a ransomware intrusion becomes a race against the clock as the targeted organization tries its best to stop the spread and remove the virus and to resume mission-critical activity. Since ransomware requires time to spread, attacks are often launched at night, when attacks typically take longer to uncover. This compounds the difficulty of promptly assembling and coordinating a qualified response team.

Progent provides a variety of support services for securing businesses from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with machine learning technology to rapidly discover and quarantine day-zero cyber attacks. Progent also offers the services of expert ransomware recovery consultants with the skills and perseverance to restore a breached network as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware event, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decrypt any of your files. Kaspersky determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the vital components of your IT environment. Without the availability of full information backups, this requires a broad range of IT skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is finished.

For two decades, Progent has made available expert IT services for companies in El Paso and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise gives Progent the capability to quickly determine necessary systems and consolidate the surviving parts of your computer network system following a ransomware event and configure them into an operational network.

Progent's ransomware team uses powerful project management tools to coordinate the complicated recovery process. Progent knows the urgency of working rapidly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to get key services back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Response
A client escalated to Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean state criminal gangs, possibly using strategies leaked from the United States National Security Agency. Ryuk attacks specific companies with limited tolerance for operational disruption and is among the most profitable examples of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk event had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most critical time of (our) businesses life. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent experts provided us. The fact that you could get our messaging and essential applications back into operation faster than 1 week was something I thought impossible. Each expert I interacted with or e-mailed at Progent was totally committed on getting us working again and was working 24 by 7 to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the mission critical applications that needed to be recovered to make it possible to restart business functions:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes incident mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the work of rebuilding Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí accounting and MRP software utilized Microsoft SQL, which requires Active Directory services for security authorization to the databases.

Within 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery of key applications. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find local OST files (Microsoft Outlook Offline Data Files) on various desktop computers and laptops to recover mail information. A not too old off-line backup of the client's accounting software made it possible to recover these essential services back online for users. Although a lot of work needed to be completed to recover completely from the Ryuk event, critical services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer deliverables."

Over the following couple of weeks important milestones in the restoration process were made in tight cooperation between Progent team members and the client:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were fully operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the user PCs were back into operation.

"A huge amount of what happened in the early hours is nearly entirely a fog for me, but our team will not soon forget the commitment each and every one of you put in to give us our company back. I have been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered. This situation was a stunning achievement."

Conclusion
A probable business extinction catastrophe was averted through the efforts of dedicated professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware virus attack described here would have been identified and blocked with modern security solutions and recognized best practices, user and IT administrator education, and appropriate incident response procedures for data protection and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for allowing me to get rested after we got through the first week. Everyone did an fabulous job, and if anyone is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in El Paso a range of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to address the complete malware attack lifecycle including protection, detection, mitigation, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you prove compliance with legal and industry information protection standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of critical data, apps and virtual machines that have become lost or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver web-based control and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a deeper layer of inspection for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding appliances that need critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your Progent engineering consultant so all looming problems can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For El Paso 24-7 Crypto-Ransomware Cleanup Support Services, call Progent at 800-993-9400 or go to Contact Progent.