Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyberplague that represents an existential threat for businesses poorly prepared for an attack. Versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict harm. Recent versions of crypto-ransomware such as Ryuk and Hermes, as well as more as yet unnamed malware, not only do encryption of on-line information but also infect all configured system protection mechanisms. Information replicated to the cloud can also be corrupted. In a vulnerable system, this can render automatic recovery useless and effectively knocks the network back to zero.

Restoring services and data following a ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to contain the damage and clear the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware takes time to replicate, attacks are usually sprung during nights and weekends, when successful attacks are likely to take longer to detect. This multiplies the difficulty of quickly mobilizing and orchestrating an experienced response team.

Progent makes available a range of solutions for protecting enterprises from ransomware events. These include user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security appliances with machine learning technology to rapidly detect and disable day-zero cyber attacks. Progent in addition offers the assistance of veteran crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised environment as quickly as possible.

Progent's Ransomware Restoration Services
After a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to decrypt any of your files. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the mission-critical components of your IT environment. Without access to essential system backups, this calls for a broad complement of skills, professional team management, and the capability to work 24x7 until the recovery project is done.

For two decades, Progent has provided expert Information Technology services for businesses in Madison and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise gives Progent the ability to rapidly determine important systems and integrate the surviving components of your Information Technology system following a ransomware attack and configure them into a functioning system.

Progent's security team of experts deploys state-of-the-art project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of acting quickly and together with a customerís management and Information Technology staff to assign priority to tasks and to get the most important applications back online as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business contacted Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state hackers, suspected of adopting technology leaked from the United States National Security Agency. Ryuk attacks specific organizations with little or no room for operational disruption and is among the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's data backups had been online at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately reached out to Progent.


"I canít say enough in regards to the expertise Progent provided us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you could get our e-mail and important servers back faster than 1 week was earth shattering. Each expert I talked with or messaged at Progent was totally committed on getting us operational and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly determine and assign priority to the mission critical systems that needed to be restored in order to restart departmental operations:

  • Active Directory (AD)
  • Electronic Mail
  • Financials/MRP
To begin, Progent followed ransomware event mitigation best practices by halting the spread and cleaning up infected systems. Progent then began the task of recovering Microsoft AD, the core of enterprise environments built upon Microsoft technology. Exchange messaging will not work without AD, and the businessesí financials and MRP software utilized SQL Server, which depends on Windows AD for security authorization to the database.

In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then assisted with setup and hard drive recovery on mission critical applications. All Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on user desktop computers and laptops in order to recover email information. A not too old offline backup of the businesses financials/MRP software made them able to recover these vital programs back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk virus, critical systems were recovered rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer orders."

Over the following couple of weeks key milestones in the restoration process were made through close cooperation between Progent consultants and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million historical messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully recovered.
  • A new Palo Alto 850 security appliance was set up.
  • Nearly all of the user PCs were functioning as before the incident.

"A huge amount of what happened that first week is nearly entirely a fog for me, but we will not soon forget the commitment each and every one of you accomplished to give us our company back. Iíve been working with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This event was a stunning achievement."

Conclusion
A likely business extinction disaster was averted with results-oriented professionals, a broad array of knowledge, and close collaboration. Although in hindsight the ransomware virus attack described here could have been prevented with modern cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out security procedures for data backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thanks very much for letting me get some sleep after we made it past the initial fire. Everyone did an incredible job, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Madison a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the complete threat lifecycle including blocking, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools packaged within one agent accessible from a unified console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate action. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and enables rapid restoration of vital data, apps and virtual machines that have become unavailable or damaged as a result of component failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security vendors to deliver centralized control and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map, track, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so that any potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For Madison 24x7 Crypto-Ransomware Recovery Experts, contact Progent at 800-993-9400 or go to Contact Progent.