Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Versions of crypto-ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and continue to cause harm. More recent variants of crypto-ransomware such as Ryuk and Hermes, plus frequent as yet unnamed newcomers, not only do encryption of online data but also infect most configured system restores and backups. Data replicated to cloud environments can also be ransomed. In a poorly designed data protection solution, it can make any restoration useless and basically knocks the network back to square one.

Getting back programs and data following a crypto-ransomware intrusion becomes a race against time as the targeted organization fights to stop the spread and remove the ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to spread, attacks are frequently sprung on weekends and holidays, when penetrations typically take longer to identify. This multiplies the difficulty of promptly mobilizing and coordinating an experienced response team.

Progent makes available a range of support services for protecting organizations from ransomware penetrations. Among these are staff education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security gateways with AI capabilities to automatically discover and quarantine new cyber threats. Progent also can provide the assistance of expert ransomware recovery engineers with the talent and perseverance to restore a compromised system as soon as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the keys to decipher any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the mission-critical elements of your Information Technology environment. Absent access to complete data backups, this requires a wide range of skill sets, professional team management, and the ability to work non-stop until the job is done.

For twenty years, Progent has provided expert Information Technology services for companies in Glendale and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience affords Progent the skills to rapidly ascertain critical systems and organize the surviving components of your IT environment following a ransomware event and configure them into a functioning network.

Progent's security group has powerful project management systems to coordinate the complex recovery process. Progent knows the importance of working rapidly and together with a customerís management and IT resources to prioritize tasks and to get the most important services back online as soon as possible.

Client Story: A Successful Ransomware Attack Response
A client contacted Progent after their network system was penetrated by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state cybercriminals, possibly adopting techniques leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited ability to sustain operational disruption and is one of the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has around 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.


"I canít say enough in regards to the care Progent provided us throughout the most critical time of (our) businesses life. We would have paid the cyber criminals if not for the confidence the Progent experts afforded us. That you could get our messaging and important servers back sooner than one week was incredible. Every single expert I got help from or communicated with at Progent was urgently focused on getting our company operational and was working 24 by 7 to bail us out."

Progent worked together with the customer to rapidly identify and prioritize the essential systems that needed to be addressed to make it possible to continue departmental functions:

  • Active Directory
  • Email
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes event response industry best practices by halting the spread and performing virus removal steps. Progent then initiated the process of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís MRP software leveraged SQL Server, which needs Active Directory services for access to the information.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then performed rebuilding and storage recovery on the most important systems. All Microsoft Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Off-Line Data Files) on various workstations and laptops to recover email messages. A recent off-line backup of the customerís accounting/ERP software made it possible to restore these essential programs back online for users. Although significant work remained to recover fully from the Ryuk damage, core services were returned to operations quickly:


"For the most part, the production manufacturing operation was never shut down and we made all customer shipments."

Throughout the next few weeks critical milestones in the recovery process were completed through close collaboration between Progent engineers and the client:

  • In-house web sites were restored without losing any data.
  • The MailStore Server with over four million archived messages was spun up and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100% restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • 90% of the user PCs were back into operation.

"A huge amount of what occurred in the initial days is nearly entirely a fog for me, but I will not forget the urgency all of the team accomplished to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A possible business-ending catastrophe was averted due to hard-working experts, a broad array of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here would have been identified and prevented with advanced security technology and ISO/IEC 27001 best practices, staff training, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for letting me get some sleep after we got through the first week. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Glendale a portfolio of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to uncover new strains of crypto-ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also help your company to install and test a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of vital files, applications and virtual machines that have become unavailable or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver world-class support to set up ProSight Data Protection Services to be compliant with regulatory standards like HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to deliver web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, enhance and debug their connectivity appliances such as routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding devices that need important software patches, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management staff and your Progent consultant so all looming issues can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save up to 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Glendale 24-Hour Crypto Cleanup Experts, call Progent at 800-993-9400 or go to Contact Progent.