Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses poorly prepared for an attack. Multiple generations of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. More recent variants of ransomware such as Ryuk and Hermes, as well as additional as yet unnamed malware, not only do encryption of on-line information but also infect all available system protection. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, it can make automated restore operations hopeless and basically sets the entire system back to zero.

Retrieving programs and information following a crypto-ransomware event becomes a race against the clock as the victim struggles to contain and eradicate the ransomware and to restore enterprise-critical operations. Due to the fact that ransomware takes time to replicate, attacks are usually sprung at night, when successful attacks may take longer to notice. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.

Progent has a variety of services for securing enterprises from ransomware attacks. These include team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security appliances with artificial intelligence capabilities to intelligently discover and quarantine zero-day cyber threats. Progent in addition can provide the services of experienced crypto-ransomware recovery consultants with the skills and commitment to restore a breached network as quickly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the needed codes to decipher all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the vital parts of your IT environment. Without the availability of essential system backups, this requires a broad range of skills, top notch project management, and the capability to work continuously until the task is complete.

For twenty years, Progent has made available certified expert Information Technology services for companies in Indianapolis and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience gives Progent the capability to efficiently determine necessary systems and organize the surviving parts of your Information Technology environment after a crypto-ransomware penetration and rebuild them into an operational system.

Progent's recovery team uses powerful project management systems to coordinate the complex recovery process. Progent understands the importance of working rapidly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to get the most important systems back on line as soon as possible.

Client Story: A Successful Crypto-Ransomware Attack Recovery
A business hired Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored criminal gangs, possibly using algorithms exposed from Americaís NSA organization. Ryuk attacks specific organizations with limited ability to sustain disruption and is one of the most lucrative iterations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk penetration had frozen all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the attack and were encrypted. The client was evaluating paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately reached out to Progent.


"I canít say enough in regards to the care Progent provided us throughout the most critical time of (our) companyís life. We most likely would have paid the cybercriminals except for the confidence the Progent team afforded us. That you were able to get our e-mail and essential servers back on-line quicker than a week was beyond my wildest dreams. Each person I got help from or e-mailed at Progent was amazingly focused on getting us back online and was working breakneck pace on our behalf."

Progent worked hand in hand the client to rapidly assess and prioritize the essential systems that needed to be addressed to make it possible to restart company operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent followed AV/Malware Processes event response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the steps of bringing back online Microsoft AD, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the client's accounting and MRP software utilized Microsoft SQL, which depends on Active Directory for access to the information.

In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then assisted with reinstallations and storage recovery on critical applications. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on various PCs to recover mail data. A not too old offline backup of the businesses manufacturing systems made it possible to recover these required applications back servicing users. Although major work still had to be done to recover totally from the Ryuk attack, core systems were recovered rapidly:


"For the most part, the production operation did not miss a beat and we did not miss any customer shipments."

During the next couple of weeks critical milestones in the restoration process were made in tight cooperation between Progent engineers and the client:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were completely operational.
  • A new Palo Alto 850 security appliance was set up.
  • Ninety percent of the user desktops were operational.

"A huge amount of what happened in the early hours is nearly entirely a fog for me, but my team will not soon forget the urgency each of your team put in to give us our company back. I have been working together with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was a life saver."

Conclusion
A probable company-ending catastrophe was avoided due to top-tier experts, a broad array of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware attack described here would have been identified and prevented with current security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and appropriate incident response procedures for data protection and applying software patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thanks very much for allowing me to get some sleep after we got past the first week. Everyone did an fabulous job, and if anyone is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Indianapolis a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to uncover new variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to automate the complete threat lifecycle including protection, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of vital files, applications and virtual machines that have become lost or corrupted as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to deliver web-based control and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of analysis for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, reconfigure and debug their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating devices that require critical software patches, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your Progent engineering consultant so that any looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to 50% of time spent looking for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Indianapolis 24-Hour Ransomware Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.