Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations vulnerable to an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus more unnamed viruses, not only do encryption of on-line information but also infiltrate all available system backup. Data synched to cloud environments can also be rendered useless. In a poorly architected system, it can make automatic restore operations useless and basically knocks the datacenter back to square one.

Getting back online programs and data following a ransomware intrusion becomes a sprint against the clock as the victim struggles to stop lateral movement and clear the ransomware and to restore enterprise-critical operations. Since crypto-ransomware takes time to move laterally, assaults are frequently launched during weekends and nights, when penetrations are likely to take more time to discover. This compounds the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent makes available a variety of help services for protecting organizations from ransomware attacks. These include staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with machine learning technology to automatically discover and extinguish new cyber threats. Progent in addition can provide the services of seasoned ransomware recovery professionals with the skills and perseverance to restore a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware event, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the needed keys to decrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the vital parts of your IT environment. Without the availability of complete data backups, this calls for a wide complement of skills, well-coordinated team management, and the ability to work non-stop until the recovery project is completed.

For decades, Progent has offered professional IT services for businesses in Grand Rapids and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the skills to rapidly determine critical systems and re-organize the remaining components of your network environment after a crypto-ransomware penetration and rebuild them into a functioning network.

Progent's security team of experts has top notch project management tools to coordinate the complicated recovery process. Progent knows the importance of acting quickly and in concert with a customerís management and IT staff to assign priority to tasks and to put critical applications back on line as soon as possible.

Client Story: A Successful Crypto-Ransomware Attack Recovery
A customer sought out Progent after their company was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored hackers, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk attacks specific organizations with little or no room for disruption and is among the most lucrative instances of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has about 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but in the end engaged Progent.


"I canít thank you enough about the support Progent provided us during the most fearful time of (our) businesses existence. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our messaging and essential applications back online in less than five days was earth shattering. Each expert I talked with or communicated with at Progent was laser focused on getting our company operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to rapidly understand and assign priority to the mission critical areas that had to be addressed in order to continue company functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus incident mitigation best practices by isolating and clearing infected systems. Progent then began the steps of bringing back online Microsoft AD, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the businessesí financials and MRP applications used SQL Server, which requires Windows AD for authentication to the data.

In less than two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then helped perform reinstallations and hard drive recovery on essential servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Email Offline Data Files) on staff workstations and laptops to recover email data. A recent offline backup of the businesses accounting/ERP software made them able to recover these essential programs back online for users. Although major work needed to be completed to recover fully from the Ryuk virus, essential services were returned to operations quickly:


"For the most part, the production operation was never shut down and we delivered all customer shipments."

Over the next couple of weeks important milestones in the recovery process were made in close collaboration between Progent consultants and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over four million historical messages was brought on-line and available for users.
  • CRM/Orders/Invoices/AP/AR/Inventory functions were 100% operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user workstations were back into operation.

"So much of what was accomplished those first few days is mostly a blur for me, but our team will not soon forget the dedication each of you put in to give us our company back. Iíve trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A likely business-ending disaster was averted due to dedicated experts, a wide spectrum of knowledge, and close teamwork. Although in post mortem the ransomware attack detailed here should have been shut down with current security solutions and recognized best practices, user training, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thank you for allowing me to get rested after we made it over the first week. All of you did an fabulous job, and if anyone that helped is in the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Grand Rapids a portfolio of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning technology to detect new variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the complete threat progression including filtering, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your company's specific needs and that helps you prove compliance with government and industry information protection regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent can also assist you to install and test a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical data, applications and VMs that have become unavailable or damaged as a result of hardware failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide world-class support to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever needed, can help you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security companies to deliver web-based management and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your vulnerability to external threats and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of analysis for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, track, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and displays the configuration of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that need critical software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management technology to keep your network operating efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT personnel and your Progent consultant so that all looming problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For Grand Rapids 24/7 Crypto Removal Services, contact Progent at 800-993-9400 or go to Contact Progent.