Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that poses an existential danger for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict havoc. Modern variants of ransomware like Ryuk and Hermes, plus frequent as yet unnamed viruses, not only encrypt on-line data files but also infiltrate many accessible system backup. Files replicated to cloud environments can also be rendered useless. In a poorly designed system, this can make automatic restore operations useless and effectively knocks the network back to square one.

Retrieving programs and data following a ransomware intrusion becomes a sprint against time as the targeted business struggles to contain the damage and cleanup the ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to spread, penetrations are often launched at night, when successful attacks typically take more time to discover. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.

Progent provides a variety of help services for securing organizations from ransomware events. Among these are team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security appliances with AI technology to quickly identify and suppress day-zero threats. Progent in addition can provide the services of veteran ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware penetration, sending the ransom in cryptocurrency does not ensure that merciless criminals will return the needed keys to decipher any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the critical elements of your Information Technology environment. Absent the availability of full information backups, this requires a broad complement of IT skills, well-coordinated project management, and the willingness to work continuously until the task is complete.

For twenty years, Progent has provided professional IT services for businesses in Irving and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience affords Progent the ability to efficiently ascertain important systems and organize the surviving parts of your Information Technology system following a crypto-ransomware penetration and configure them into a functioning network.

Progent's security team utilizes top notch project management tools to coordinate the complex recovery process. Progent understands the importance of acting rapidly and together with a customerís management and Information Technology team members to prioritize tasks and to put essential systems back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Virus Response
A customer sought out Progent after their company was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly adopting techniques exposed from the United States NSA organization. Ryuk attacks specific organizations with limited room for operational disruption and is among the most lucrative versions of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago and has about 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but in the end called Progent.


"I canít say enough in regards to the support Progent provided us during the most fearful period of (our) companyís existence. We most likely would have paid the cyber criminals except for the confidence the Progent experts afforded us. That you could get our messaging and production servers back faster than a week was beyond my wildest dreams. Each person I worked with or messaged at Progent was laser focused on getting us back online and was working day and night to bail us out."

Progent worked together with the client to quickly understand and prioritize the most important applications that had to be restored to make it possible to restart departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes incident response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the process of rebuilding Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not operate without Active Directory, and the businessesí financials and MRP system used Microsoft SQL, which needs Windows AD for security authorization to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then completed rebuilding and storage recovery on key systems. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team workstations and laptops to recover email information. A recent off-line backup of the customerís manufacturing software made them able to recover these vital applications back online. Although a large amount of work still had to be done to recover fully from the Ryuk virus, critical systems were restored quickly:


"For the most part, the assembly line operation never missed a beat and we made all customer shipments."

During the following few weeks important milestones in the recovery process were accomplished in close cooperation between Progent consultants and the customer:

  • In-house web sites were restored with no loss of information.
  • The MailStore Exchange Server with over four million historical messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent restored.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user desktops were operational.

"Much of what occurred in the early hours is nearly entirely a fog for me, but our team will not forget the care each and every one of you put in to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and each time Progent has come through and delivered as promised. This situation was the most impressive ever."

Conclusion
A potential business-killing catastrophe was averted by hard-working professionals, a broad range of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware penetration described here would have been identified and prevented with up-to-date cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for making it so I could get rested after we made it over the initial fire. Everyone did an amazing job, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Irving a range of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence technology to detect zero-day strains of crypto-ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to manage the complete malware attack progression including blocking, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP environment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates your backup processes and enables fast restoration of vital files, applications and virtual machines that have become unavailable or corrupted due to component breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's cloud backup specialists can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to deliver centralized management and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, enhance and debug their networking hardware like switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding devices that need important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your network running efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT management staff and your assigned Progent consultant so all potential problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can save up to half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Read more about ProSight IT Asset Management service.
For Irving 24/7 Crypto-Ransomware Cleanup Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.