Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses poorly prepared for an assault. Versions of ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with frequent as yet unnamed newcomers, not only encrypt on-line critical data but also infiltrate all configured system backups. Information replicated to the cloud can also be ransomed. In a vulnerable system, it can make automated recovery useless and effectively sets the datacenter back to square one.

Recovering applications and data following a ransomware outage becomes a sprint against time as the targeted business tries its best to contain the damage and eradicate the ransomware and to resume mission-critical operations. Since ransomware needs time to move laterally, penetrations are often sprung on weekends, when successful attacks are likely to take more time to discover. This multiplies the difficulty of promptly assembling and orchestrating a qualified response team.

Progent has an assortment of support services for protecting organizations from ransomware attacks. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security appliances with machine learning technology to automatically discover and disable day-zero cyber threats. Progent also can provide the assistance of expert crypto-ransomware recovery consultants with the track record and commitment to rebuild a breached system as urgently as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the keys to decrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the critical elements of your IT environment. Absent the availability of complete information backups, this requires a wide complement of skills, top notch project management, and the ability to work 24x7 until the job is done.

For twenty years, Progent has offered expert IT services for companies in Chicago and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of experience provides Progent the capability to rapidly determine critical systems and integrate the surviving pieces of your IT system following a ransomware penetration and assemble them into an operational network.

Progent's recovery team has best of breed project management tools to coordinate the complex recovery process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology staff to prioritize tasks and to put essential systems back on line as fast as possible.

Customer Case Study: A Successful Ransomware Virus Recovery
A customer hired Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state criminal gangs, possibly adopting technology leaked from Americaís NSA organization. Ryuk targets specific companies with little tolerance for disruption and is among the most profitable instances of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and praying for the best, but ultimately utilized Progent.


"I cannot tell you enough in regards to the care Progent gave us throughout the most critical time of (our) companyís existence. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent team afforded us. The fact that you could get our messaging and critical servers back into operation sooner than a week was amazing. Every single expert I interacted with or e-mailed at Progent was hell bent on getting us back online and was working all day and night on our behalf."

Progent worked together with the client to quickly identify and prioritize the critical areas that had to be addressed to make it possible to continue business functions:

  • Active Directory
  • E-Mail
  • MRP System
To start, Progent followed ransomware incident response best practices by stopping lateral movement and performing virus removal steps. Progent then started the process of bringing back online Microsoft AD, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the customerís MRP system leveraged SQL Server, which needs Active Directory for access to the data.

Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery of mission critical servers. All Exchange schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Folder Files) on staff workstations and laptops in order to recover mail data. A recent off-line backup of the customerís financials/MRP software made them able to restore these required programs back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, essential services were restored rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer deliverables."

During the following few weeks critical milestones in the recovery project were made through close cooperation between Progent engineers and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Server exceeding four million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the desktops and laptops were fully operational.

"Much of what was accomplished in the early hours is mostly a haze for me, but my management will not soon forget the commitment each of your team put in to give us our business back. Iíve been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This time was a stunning achievement."

Conclusion
A possible business disaster was dodged with results-oriented experts, a wide spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been stopped with current security technology solutions and best practices, team education, and well thought out incident response procedures for data backup and proper patching controls, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get some sleep after we made it through the most critical parts. All of you did an fabulous effort, and if anyone is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Chicago a variety of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence technology to uncover new variants of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to manage the entire malware attack lifecycle including filtering, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent can also assist your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical data, apps and virtual machines that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's BDR consultants can provide world-class support to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver centralized management and comprehensive security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, track, reconfigure and debug their connectivity appliances such as routers, firewalls, and load balancers plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off common tasks like network mapping, expanding your network, locating devices that need critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your network operating at peak levels by checking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT personnel and your Progent engineering consultant so any looming problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Chicago 24-Hour CryptoLocker Removal Consultants, call Progent at 800-462-8800 or go to Contact Progent.