Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses of all sizes unprepared for an attack. Different iterations of crypto-ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict damage. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus daily as yet unnamed malware, not only encrypt online files but also infect most available system backups. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can make automated recovery impossible and basically knocks the datacenter back to square one.

Recovering programs and data after a ransomware outage becomes a sprint against time as the targeted organization struggles to contain and cleanup the ransomware and to restore business-critical operations. Because ransomware requires time to spread, attacks are frequently launched on weekends and holidays, when successful penetrations are likely to take longer to recognize. This compounds the difficulty of rapidly mobilizing and orchestrating a knowledgeable response team.

Progent provides a variety of support services for securing businesses from ransomware attacks. Among these are team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with artificial intelligence capabilities to intelligently identify and quarantine new cyber threats. Progent also offers the assistance of veteran ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware attack, sending the ransom in cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt any of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the mission-critical components of your IT environment. Without the availability of essential information backups, this calls for a broad complement of skills, well-coordinated team management, and the ability to work 24x7 until the task is done.

For two decades, Progent has made available expert Information Technology services for companies in Riverside and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience affords Progent the skills to efficiently identify important systems and re-organize the remaining pieces of your Information Technology system after a ransomware event and assemble them into a functioning system.

Progent's ransomware team of experts utilizes state-of-the-art project management applications to orchestrate the complex recovery process. Progent appreciates the importance of working quickly and in unison with a client's management and IT team members to prioritize tasks and to put critical applications back online as fast as possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A client engaged Progent after their organization was brought down by the Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly adopting techniques exposed from the U.S. NSA organization. Ryuk seeks specific businesses with little or no room for operational disruption and is among the most lucrative versions of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago and has about 500 workers. The Ryuk attack had brought down all essential operations and manufacturing processes. Most of the client's data backups had been online at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.


"I canít speak enough in regards to the care Progent gave us throughout the most critical period of (our) companyís survival. We had little choice but to pay the Hackers if not for the confidence the Progent group afforded us. The fact that you could get our e-mail and critical applications back into operation sooner than one week was earth shattering. Every single expert I spoke to or e-mailed at Progent was urgently focused on getting us back online and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly assess and assign priority to the critical systems that had to be addressed to make it possible to restart business operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting/MRP
To start, Progent followed AV/Malware Processes penetration response industry best practices by stopping the spread and removing active viruses. Progent then initiated the task of restoring Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí MRP software leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the database.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then accomplished setup and storage recovery of key servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers and laptops to recover email information. A recent off-line backup of the client's financials/ERP systems made it possible to restore these vital applications back on-line. Although significant work still had to be done to recover totally from the Ryuk attack, essential systems were returned to operations rapidly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."

Over the next couple of weeks critical milestones in the recovery process were accomplished in tight cooperation between Progent team members and the client:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully recovered.
  • A new Palo Alto 850 firewall was deployed.
  • Nearly all of the user workstations were operational.

"Much of what went on that first week is mostly a blur for me, but we will not soon forget the dedication each and every one of your team accomplished to help get our business back. Iíve been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This event was a life saver."

Conclusion
A probable enterprise-killing catastrophe was dodged by hard-working professionals, a broad range of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here could have been prevented with advanced security technology and security best practices, team education, and appropriate incident response procedures for information backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we got through the most critical parts. Everyone did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Riverside a portfolio of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day variants of crypto-ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent attention. Progent can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup/restore technology providers to produce ProSight Data Protection Services, a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and allow transparent backup and rapid recovery of vital files, apps, system images, plus VMs. ProSight DPS lets you recover from data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, human error, malicious insiders, or software bugs. Managed services in the ProSight DPS portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver centralized management and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of analysis for inbound email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, track, enhance and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating tedious management processes, WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network operating efficiently by checking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT staff and your Progent engineering consultant so any potential issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time spent looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to defend endpoint devices as well as physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to automate the entire threat progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Center: Call Center Managed Services
    Progent's Support Center managed services allow your information technology group to outsource Help Desk services to Progent or split activity for Service Desk support transparently between your in-house network support group and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your core support staff. Client interaction with the Help Desk, provision of support, escalation, ticket generation and tracking, performance metrics, and maintenance of the support database are consistent regardless of whether issues are taken care of by your core IT support organization, by Progent's team, or both. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving information network. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services allow your IT staff to concentrate on more strategic initiatives and tasks that derive the highest business value from your network. Find out more about Progent's software/firmware update management support services.
For 24/7/365 Riverside Crypto-Ransomware Cleanup Services, reach out to Progent at 800-462-8800 or go to Contact Progent.