Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses vulnerable to an attack. Different iterations of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and still cause damage. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as additional unnamed newcomers, not only encrypt online information but also infect most accessible system protection mechanisms. Files synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can make any restoration impossible and basically sets the datacenter back to square one.

Restoring programs and data following a ransomware event becomes a race against time as the targeted business tries its best to stop the spread and remove the virus and to restore business-critical activity. Because crypto-ransomware takes time to replicate, penetrations are often sprung during nights and weekends, when attacks are likely to take more time to detect. This multiplies the difficulty of quickly mobilizing and orchestrating an experienced response team.

Progent provides a range of help services for protecting organizations from ransomware penetrations. Among these are team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with AI capabilities to intelligently identify and suppress new cyber attacks. Progent also provides the services of expert ransomware recovery engineers with the track record and perseverance to rebuild a compromised network as soon as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed keys to decipher any or all of your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the essential parts of your IT environment. Absent access to complete data backups, this requires a wide range of skills, professional team management, and the willingness to work continuously until the recovery project is complete.

For decades, Progent has made available professional Information Technology services for companies in Greensboro and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise gives Progent the capability to knowledgably identify important systems and integrate the remaining components of your network system after a ransomware attack and rebuild them into an operational network.

Progent's security team uses best of breed project management systems to coordinate the sophisticated restoration process. Progent understands the importance of working rapidly and in unison with a client's management and IT staff to prioritize tasks and to get the most important systems back online as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A business escalated to Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state hackers, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with limited ability to sustain operational disruption and is one of the most profitable iterations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk penetration had disabled all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and praying for the best, but in the end made the decision to use Progent.


"I cannot say enough about the support Progent provided us during the most fearful time of (our) businesses survival. We had little choice but to pay the criminal gangs if it wasnít for the confidence the Progent group provided us. The fact that you could get our e-mail and production applications back sooner than a week was earth shattering. Every single person I spoke to or texted at Progent was urgently focused on getting my company operational and was working day and night to bail us out."

Progent worked with the client to rapidly determine and prioritize the most important areas that had to be restored in order to continue company functions:

  • Active Directory
  • Exchange Server
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes incident response best practices by isolating and cleaning systems of viruses. Progent then initiated the steps of recovering Windows Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customerís accounting and MRP applications used Microsoft SQL, which depends on Active Directory for security authorization to the information.

Within 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery on the most important applications. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Off-Line Folder Files) on staff PCs and laptops to recover email messages. A recent off-line backup of the client's manufacturing software made them able to return these essential applications back servicing users. Although major work needed to be completed to recover totally from the Ryuk damage, essential systems were returned to operations rapidly:


"For the most part, the assembly line operation showed little impact and we did not miss any customer shipments."

Throughout the next couple of weeks key milestones in the recovery process were achieved through close cooperation between Progent team members and the client:

  • Self-hosted web sites were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control functions were fully operational.
  • A new Palo Alto 850 firewall was set up.
  • Most of the user desktops were operational.

"Much of what was accomplished that first week is mostly a haze for me, but I will not soon forget the dedication all of you accomplished to help get our business back. Iíve utilized Progent for at least 10 years, maybe more, and every time Progent has shined and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable business catastrophe was evaded with dedicated professionals, a wide array of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident detailed here would have been identified and prevented with modern cyber security systems and recognized best practices, team education, and appropriate incident response procedures for data protection and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for making it so I could get some sleep after we made it past the initial push. Everyone did an amazing effort, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Greensboro a variety of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence capability to uncover zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the complete malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates your backup activities and enables rapid recovery of critical data, apps and VMs that have become unavailable or damaged as a result of component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to provide centralized control and world-class protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of analysis for incoming email. For outbound email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, track, optimize and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating tedious network management processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding appliances that need critical updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT management staff and your Progent consultant so that any looming problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7/365 Greensboro Ransomware Remediation Consultants, call Progent at 800-462-8800 or go to Contact Progent.