Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes vulnerable to an assault. Different versions of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Recent strains of crypto-ransomware such as Ryuk and Hermes, along with more as yet unnamed malware, not only encrypt online files but also infect all configured system backup. Information synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can make automated restore operations useless and basically sets the entire system back to square one.

Restoring programs and data after a crypto-ransomware attack becomes a race against the clock as the targeted organization struggles to stop the spread and remove the virus and to restore mission-critical activity. Since ransomware needs time to move laterally, penetrations are usually launched during nights and weekends, when successful attacks may take longer to detect. This compounds the difficulty of promptly mobilizing and organizing a qualified response team.

Progent makes available a variety of services for securing enterprises from ransomware penetrations. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security gateways with machine learning technology to quickly detect and extinguish day-zero threats. Progent in addition can provide the assistance of experienced ransomware recovery consultants with the talent and commitment to rebuild a compromised system as soon as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not ensure that merciless criminals will respond with the needed codes to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the vital components of your Information Technology environment. Without access to complete information backups, this requires a wide complement of skills, top notch project management, and the ability to work 24x7 until the task is finished.

For decades, Progent has offered professional Information Technology services for companies in Knoxville and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise provides Progent the skills to quickly determine critical systems and organize the surviving parts of your network system after a crypto-ransomware attack and assemble them into a functioning system.

Progent's recovery team of experts uses top notch project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in unison with a customerís management and IT staff to assign priority to tasks and to put essential systems back on-line as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A customer contacted Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, possibly using approaches leaked from Americaís National Security Agency. Ryuk targets specific organizations with little or no ability to sustain operational disruption and is one of the most profitable instances of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing processes. The majority of the client's data backups had been online at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and praying for good luck, but in the end engaged Progent.


"I cannot tell you enough about the support Progent gave us throughout the most fearful time of (our) companyís life. We may have had to pay the criminal gangs if not for the confidence the Progent team afforded us. The fact that you could get our messaging and important servers back on-line quicker than one week was incredible. Each person I worked with or texted at Progent was urgently focused on getting us back on-line and was working all day and night to bail us out."

Progent worked together with the client to quickly identify and prioritize the key elements that had to be restored in order to restart company operations:

  • Active Directory
  • Exchange Server
  • Accounting/MRP
To start, Progent followed AV/Malware Processes penetration mitigation best practices by halting the spread and clearing up compromised systems. Progent then started the steps of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not operate without AD, and the customerís MRP applications utilized Microsoft SQL, which requires Windows AD for authentication to the database.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery on mission critical applications. All Exchange schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on various workstations in order to recover mail information. A not too old offline backup of the client's accounting/MRP software made it possible to recover these essential services back online for users. Although a lot of work still had to be done to recover completely from the Ryuk virus, critical services were restored rapidly:


"For the most part, the production operation was never shut down and we produced all customer sales."

Over the following couple of weeks critical milestones in the restoration process were made in tight collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Nearly all of the desktop computers were operational.

"So much of what occurred those first few days is mostly a haze for me, but I will not soon forget the countless hours each of the team accomplished to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A possible company-ending disaster was avoided due to dedicated experts, a wide spectrum of IT skills, and close collaboration. Although in post mortem the ransomware virus penetration detailed here would have been identified and disabled with modern cyber security technology and recognized best practices, staff training, and appropriate security procedures for information backup and proper patching controls, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), Iím grateful for allowing me to get rested after we got past the initial fire. All of you did an impressive effort, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Knoxville a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services utilize modern AI capability to detect zero-day strains of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including filtering, detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within one agent managed from a unified control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP environment that addresses your company's unique needs and that helps you prove compliance with legal and industry information protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of vital data, applications and VMs that have become unavailable or damaged due to component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR specialists can deliver world-class support to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to restore your business-critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security companies to deliver web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of inspection for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and troubleshoot their networking hardware such as routers, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration information of almost all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious management processes, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding devices that require important software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your Progent engineering consultant so any potential problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about ProSight IT Asset Management service.
For Knoxville 24/7 Crypto-Ransomware Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.