Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that presents an enterprise-level danger for businesses poorly prepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict harm. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily unnamed newcomers, not only encrypt online information but also infect many accessible system protection. Files replicated to cloud environments can also be corrupted. In a vulnerable system, this can render automated restore operations impossible and basically knocks the entire system back to square one.

Getting back on-line programs and data after a crypto-ransomware event becomes a sprint against time as the targeted business tries its best to stop the spread and clear the ransomware and to resume business-critical operations. Because crypto-ransomware takes time to spread, penetrations are usually launched on weekends and holidays, when successful penetrations are likely to take more time to discover. This multiplies the difficulty of quickly mobilizing and orchestrating a knowledgeable mitigation team.

Progent offers a variety of solutions for protecting organizations from ransomware penetrations. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning technology to rapidly identify and disable new cyber attacks. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the needed keys to decrypt all your information. Kaspersky estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the key components of your Information Technology environment. Without the availability of essential information backups, this calls for a broad range of IT skills, well-coordinated team management, and the willingness to work 24x7 until the task is over.

For two decades, Progent has provided certified expert Information Technology services for businesses in Baton Rouge and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of expertise provides Progent the capability to efficiently identify important systems and organize the remaining parts of your network environment following a crypto-ransomware event and rebuild them into a functioning system.

Progent's recovery group deploys state-of-the-art project management applications to orchestrate the complex restoration process. Progent appreciates the urgency of acting quickly and in unison with a customerís management and Information Technology team members to prioritize tasks and to put key services back online as soon as possible.

Customer Case Study: A Successful Ransomware Virus Response
A client escalated to Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of using approaches leaked from the U.S. National Security Agency. Ryuk targets specific companies with limited tolerance for disruption and is among the most lucrative iterations of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (more than $200,000) and hoping for the best, but in the end engaged Progent.


"I canít speak enough in regards to the help Progent provided us during the most critical time of (our) businesses survival. We may have had to pay the hackers behind this attack except for the confidence the Progent group afforded us. That you could get our e-mail system and production applications back on-line quicker than seven days was amazing. Every single staff member I spoke to or messaged at Progent was absolutely committed on getting our company operational and was working all day and night on our behalf."

Progent worked with the customer to rapidly understand and assign priority to the mission critical services that had to be recovered in order to continue business functions:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent followed Anti-virus event response industry best practices by isolating and disinfecting systems. Progent then began the steps of bringing back online Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the businessesí financials and MRP software used Microsoft SQL Server, which requires Active Directory services for authentication to the data.

Within 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery on mission critical applications. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on various PCs in order to recover mail information. A not too old off-line backup of the customerís manufacturing software made them able to restore these required applications back online. Although major work still had to be done to recover fully from the Ryuk attack, critical services were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer orders."

Over the following few weeks important milestones in the restoration project were achieved through close collaboration between Progent engineers and the client:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Exchange Server with over four million historical messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were 100% functional.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the desktop computers were back into operation.

"A lot of what happened that first week is nearly entirely a blur for me, but I will not forget the care all of the team accomplished to give us our business back. Iíve been working with Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This time was a life saver."

Conclusion
A potential business-killing catastrophe was averted with results-oriented professionals, a wide spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here should have been identified and disabled with advanced cyber security solutions and best practices, user and IT administrator training, and appropriate incident response procedures for backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get rested after we made it past the initial push. All of you did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Baton Rouge a range of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include next-generation machine learning technology to detect new strains of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates your backup processes and allows fast restoration of vital data, applications and VMs that have become lost or damaged due to component failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to provide centralized control and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further level of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious network management processes, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating devices that require critical updates, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT personnel and your assigned Progent consultant so all looming issues can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7/365 Baton Rouge Crypto-Ransomware Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.