Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an enterprise-level danger for organizations poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily as yet unnamed viruses, not only encrypt online data files but also infect many available system protection. Files replicated to cloud environments can also be corrupted. In a poorly architected environment, this can make automatic recovery useless and basically knocks the network back to square one.

Getting back online programs and information following a ransomware outage becomes a sprint against the clock as the victim tries its best to stop the spread and cleanup the crypto-ransomware and to resume mission-critical operations. Because crypto-ransomware requires time to spread, assaults are often launched on weekends, when successful attacks in many cases take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing a qualified mitigation team.

Progent makes available an assortment of services for protecting organizations from ransomware penetrations. Among these are staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with artificial intelligence capabilities to intelligently identify and quarantine new cyber threats. Progent in addition offers the assistance of veteran ransomware recovery engineers with the skills and perseverance to re-deploy a breached system as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the keys to unencrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the mission-critical elements of your Information Technology environment. Absent the availability of full system backups, this calls for a broad complement of skill sets, well-coordinated project management, and the capability to work continuously until the task is completed.

For twenty years, Progent has made available professional IT services for businesses in Chesapeake and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of experience affords Progent the capability to efficiently determine critical systems and consolidate the surviving pieces of your IT environment following a ransomware event and assemble them into an operational system.

Progent's ransomware team uses best of breed project management tools to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and in unison with a client's management and IT resources to assign priority to tasks and to put the most important systems back on line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Response
A customer contacted Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state criminal gangs, suspected of using technology exposed from Americaís NSA organization. Ryuk seeks specific companies with limited ability to sustain operational disruption and is one of the most profitable iterations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I canít speak enough in regards to the support Progent provided us during the most fearful period of (our) companyís existence. We would have paid the hackers behind this attack if not for the confidence the Progent team gave us. The fact that you could get our e-mail system and key applications back sooner than one week was something I thought impossible. Each expert I interacted with or messaged at Progent was urgently focused on getting us restored and was working 24/7 to bail us out."

Progent worked with the client to quickly identify and prioritize the key systems that had to be addressed to make it possible to continue business functions:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting/MRP
To get going, Progent adhered to Anti-virus penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then initiated the steps of restoring Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Exchange messaging will not operate without Windows AD, and the client's financials and MRP software leveraged SQL Server, which needs Active Directory services for security authorization to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery of mission critical servers. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on team PCs in order to recover mail data. A not too old offline backup of the customerís accounting/MRP systems made them able to recover these essential services back online. Although a lot of work was left to recover completely from the Ryuk damage, core services were returned to operations rapidly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer shipments."

Throughout the following couple of weeks key milestones in the restoration project were accomplished in tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server with over four million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the user PCs were functioning as before the incident.

"Much of what happened those first few days is mostly a blur for me, but we will not forget the dedication each of your team put in to help get our company back. Iíve been working together with Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A possible business-killing disaster was avoided through the efforts of hard-working professionals, a wide array of technical expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here could have been prevented with current security systems and security best practices, user and IT administrator education, and well thought out incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for making it so I could get rested after we made it over the first week. All of you did an impressive effort, and if any of your team is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Chesapeake a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to address the complete threat progression including blocking, identification, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with government and industry data protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent can also assist your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup processes and allows fast restoration of critical data, apps and virtual machines that have become lost or damaged due to hardware failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can provide advanced expertise to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security companies to provide web-based management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of inspection for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and debug their networking hardware like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are always updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding devices that require critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so that all looming problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to a different hosting environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
For 24-Hour Chesapeake Ransomware Remediation Consulting, call Progent at 800-993-9400 or go to Contact Progent.