Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Versions of ransomware such as CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily unnamed viruses, not only encrypt on-line files but also infiltrate most available system restores and backups. Information synchronized to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can make any restoration hopeless and basically sets the network back to square one.

Getting back on-line applications and information following a ransomware attack becomes a sprint against time as the victim struggles to stop the spread and eradicate the ransomware and to resume enterprise-critical activity. Because ransomware needs time to move laterally, penetrations are usually launched during nights and weekends, when attacks in many cases take longer to notice. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent provides a range of solutions for protecting enterprises from ransomware penetrations. These include team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with machine learning technology to rapidly discover and suppress zero-day cyber threats. Progent in addition can provide the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the needed codes to decrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the vital parts of your Information Technology environment. Without the availability of essential data backups, this calls for a wide range of skills, professional team management, and the willingness to work continuously until the task is completed.

For twenty years, Progent has made available certified expert IT services for businesses in Garland and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise provides Progent the capability to quickly determine important systems and re-organize the surviving pieces of your Information Technology system after a ransomware penetration and assemble them into a functioning system.

Progent's security group deploys state-of-the-art project management systems to coordinate the complicated recovery process. Progent understands the importance of working quickly and in concert with a customerís management and IT staff to assign priority to tasks and to put essential systems back on-line as fast as possible.

Case Study: A Successful Ransomware Incident Response
A small business contacted Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, suspected of using technology leaked from Americaís NSA organization. Ryuk seeks specific businesses with little room for operational disruption and is among the most profitable versions of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and hoping for the best, but in the end made the decision to use Progent.


"I canít thank you enough in regards to the care Progent provided us during the most critical period of (our) businesses survival. We may have had to pay the Hackers except for the confidence the Progent experts gave us. That you could get our messaging and key applications back on-line sooner than a week was earth shattering. Each person I talked with or e-mailed at Progent was hell bent on getting our company operational and was working 24/7 on our behalf."

Progent worked hand in hand the client to quickly determine and prioritize the mission critical elements that needed to be recovered in order to resume company functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed ransomware penetration mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the task of rebuilding Microsoft AD, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without Active Directory, and the customerís accounting and MRP software used SQL Server, which needs Active Directory services for access to the database.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then helped perform reinstallations and storage recovery on the most important systems. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover email information. A recent offline backup of the client's financials/ERP software made them able to recover these required programs back online for users. Although a lot of work still had to be done to recover completely from the Ryuk virus, core systems were restored quickly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer shipments."

Over the next few weeks important milestones in the recovery process were accomplished in close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Server containing more than 4 million historical emails was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were completely functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Most of the user desktops and notebooks were fully operational.

"So much of what went on during the initial response is mostly a blur for me, but my management will not soon forget the care all of the team put in to help get our company back. I have been working with Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential business-killing catastrophe was avoided with top-tier professionals, a broad array of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware virus attack described here should have been prevented with modern cyber security technology solutions and recognized best practices, staff training, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get rested after we got through the initial fire. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Garland a portfolio of online monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include modern machine learning technology to uncover zero-day strains of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior analysis tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to automate the complete malware attack progression including blocking, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate action. Progent's consultants can also help your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates your backup processes and enables rapid recovery of vital data, apps and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can provide world-class expertise to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security companies to provide centralized management and comprehensive protection for your email traffic. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, track, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating appliances that require critical software patches, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network operating efficiently by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT staff and your assigned Progent engineering consultant so all potential issues can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Since the system is virtualized, it can be ported immediately to a different hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Garland Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.