Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an existential threat for businesses vulnerable to an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict damage. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional unnamed viruses, not only do encryption of on-line data but also infect all accessible system restores and backups. Information replicated to cloud environments can also be encrypted. In a poorly designed system, this can make any restoration impossible and basically sets the datacenter back to square one.

Retrieving applications and information after a ransomware event becomes a sprint against time as the victim struggles to contain and eradicate the virus and to restore enterprise-critical operations. Since ransomware needs time to replicate, assaults are frequently launched on weekends and holidays, when successful penetrations may take longer to notice. This compounds the difficulty of quickly marshalling and orchestrating a capable mitigation team.

Progent provides a variety of help services for securing organizations from crypto-ransomware penetrations. Among these are team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with AI capabilities to automatically detect and disable new cyber threats. Progent also offers the assistance of experienced ransomware recovery engineers with the talent and commitment to restore a compromised system as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber hackers will return the needed codes to decipher all your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the mission-critical components of your Information Technology environment. Without the availability of complete information backups, this requires a wide complement of skills, top notch project management, and the capability to work continuously until the recovery project is done.

For decades, Progent has offered expert IT services for companies in Fort Worth and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise provides Progent the ability to quickly determine critical systems and consolidate the remaining parts of your IT environment following a ransomware penetration and assemble them into a functioning system.

Progent's security team has powerful project management tools to coordinate the complex recovery process. Progent knows the importance of working rapidly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to get essential systems back online as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Response
A customer engaged Progent after their network was penetrated by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of adopting technology exposed from the United States National Security Agency. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most lucrative versions of ransomware malware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago and has around 500 staff members. The Ryuk penetration had shut down all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client considered paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end reached out to Progent.


"I cannot say enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses life. We would have paid the criminal gangs if not for the confidence the Progent experts provided us. The fact that you could get our messaging and critical applications back online sooner than one week was amazing. Every single consultant I interacted with or e-mailed at Progent was hell bent on getting us working again and was working at all hours to bail us out."

Progent worked with the client to rapidly identify and assign priority to the mission critical services that needed to be restored in order to resume company operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent followed Anti-virus incident response best practices by halting lateral movement and disinfecting systems. Progent then initiated the process of recovering Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the client's MRP software utilized Microsoft SQL Server, which needs Active Directory for security authorization to the data.

Within 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then charged ahead with setup and hard drive recovery of mission critical systems. All Exchange schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Folder Files) on various desktop computers to recover email data. A recent off-line backup of the customerís accounting/MRP software made it possible to recover these vital programs back on-line. Although a lot of work was left to recover fully from the Ryuk virus, critical systems were returned to operations rapidly:


"For the most part, the assembly line operation survived unscathed and we produced all customer shipments."

Over the following month key milestones in the restoration process were made through close collaboration between Progent team members and the client:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Exchange Server with over 4 million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were fully restored.
  • A new Palo Alto 850 firewall was set up.
  • Nearly all of the user desktops were functioning as before the incident.

"Much of what transpired those first few days is nearly entirely a blur for me, but my team will not forget the urgency each of the team accomplished to give us our business back. Iíve trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."

Conclusion
A probable business extinction catastrophe was dodged by dedicated professionals, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus penetration detailed here would have been disabled with up-to-date security technology and NIST Cybersecurity Framework best practices, team training, and properly executed security procedures for information backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), thanks very much for allowing me to get rested after we made it through the most critical parts. All of you did an impressive job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Fort Worth a portfolio of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the entire threat lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that helps you prove compliance with government and industry data protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows fast restoration of critical files, applications and VMs that have become unavailable or damaged due to hardware failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, when needed, can help you to recover your critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security companies to deliver centralized management and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your network firewall. This decreases your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration of virtually all devices on your network, tracks performance, and generates alerts when problems are detected. By automating tedious management activities, WAN Watch can knock hours off common tasks like network mapping, expanding your network, locating appliances that require important software patches, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your network operating at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT staff and your Progent engineering consultant so all potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Fort Worth 24/7/365 Ransomware Cleanup Experts, call Progent at 800-993-9400 or go to Contact Progent.