Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for organizations poorly prepared for an assault. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to cause harm. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as more unnamed newcomers, not only do encryption of on-line files but also infect most accessible system protection. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, it can render automatic restore operations impossible and basically sets the entire system back to zero.

Retrieving applications and data after a crypto-ransomware outage becomes a sprint against time as the targeted organization struggles to stop the spread and eradicate the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware requires time to move laterally, attacks are often sprung on weekends, when successful attacks in many cases take more time to detect. This compounds the difficulty of promptly mobilizing and orchestrating a qualified mitigation team.

Progent offers an assortment of support services for protecting enterprises from ransomware events. These include team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with machine learning technology to automatically detect and extinguish day-zero threats. Progent in addition provides the services of seasoned crypto-ransomware recovery consultants with the talent and perseverance to restore a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the needed codes to decipher all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the mission-critical components of your IT environment. Absent access to essential information backups, this calls for a broad range of skills, professional team management, and the willingness to work continuously until the recovery project is completed.

For twenty years, Progent has provided certified expert IT services for companies in Glendale and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of experience affords Progent the ability to rapidly identify critical systems and organize the remaining parts of your network system after a crypto-ransomware event and assemble them into an operational network.

Progent's ransomware team of experts has top notch project management systems to coordinate the complex recovery process. Progent appreciates the importance of acting quickly and together with a customerís management and Information Technology staff to prioritize tasks and to get critical services back on-line as soon as possible.

Case Study: A Successful Ransomware Incident Response
A small business sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, suspected of adopting approaches leaked from the United States National Security Agency. Ryuk attacks specific companies with limited room for disruption and is among the most lucrative versions of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I cannot speak enough in regards to the care Progent provided us throughout the most fearful time of (our) companyís existence. We had little choice but to pay the cyber criminals except for the confidence the Progent experts provided us. The fact that you were able to get our messaging and key applications back on-line quicker than one week was earth shattering. Each staff member I worked with or messaged at Progent was hell bent on getting our company operational and was working 24/7 to bail us out."

Progent worked with the customer to quickly get our arms around and prioritize the mission critical elements that had to be recovered in order to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To get going, Progent adhered to ransomware penetration mitigation industry best practices by isolating and removing active viruses. Progent then initiated the task of rebuilding Windows Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the customerís financials and MRP applications utilized Microsoft SQL Server, which depends on Active Directory for security authorization to the information.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then completed reinstallations and hard drive recovery of essential systems. All Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST data files (Outlook Email Off-Line Folder Files) on various workstations and laptops in order to recover mail messages. A recent off-line backup of the businesses accounting systems made them able to restore these required programs back available to users. Although a large amount of work remained to recover fully from the Ryuk event, core services were recovered quickly:


"For the most part, the production operation survived unscathed and we did not miss any customer deliverables."

Throughout the following few weeks critical milestones in the restoration process were achieved in tight collaboration between Progent team members and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were fully operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the user workstations were functioning as before the incident.

"A lot of what happened during the initial response is mostly a fog for me, but our team will not forget the care each and every one of the team put in to give us our company back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was the most impressive ever."

Conclusion
A probable business-killing disaster was dodged by hard-working professionals, a wide range of technical expertise, and tight teamwork. Although in retrospect the ransomware virus penetration detailed here should have been prevented with up-to-date cyber security technology and security best practices, user and IT administrator training, and well designed security procedures for information protection and proper patching controls, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thank you for letting me get rested after we got past the most critical parts. All of you did an incredible effort, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Glendale a portfolio of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence capability to detect new strains of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to manage the complete threat lifecycle including protection, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. Available at a low monthly price, ProSight DPS automates your backup processes and enables rapid recovery of critical files, applications and VMs that have become lost or corrupted as a result of component failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to provide centralized management and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map, track, reconfigure and troubleshoot their networking appliances like routers and switches, firewalls, and access points plus servers, endpoints and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, locating devices that need critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so that all looming problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can save as much as 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7 Glendale CryptoLocker Recovery Services, contact Progent at 800-993-9400 or go to Contact Progent.