Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that poses an existential threat for organizations unprepared for an assault. Different iterations of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. The latest variants of ransomware like Ryuk and Hermes, as well as additional as yet unnamed viruses, not only encrypt online data files but also infiltrate any configured system protection mechanisms. Information synchronized to cloud environments can also be corrupted. In a poorly architected system, this can make any recovery useless and effectively knocks the datacenter back to zero.

Getting back online applications and data following a crypto-ransomware outage becomes a race against time as the targeted organization fights to stop lateral movement and clear the ransomware and to resume enterprise-critical operations. Since ransomware requires time to replicate, assaults are frequently sprung during weekends and nights, when attacks typically take longer to uncover. This compounds the difficulty of rapidly marshalling and organizing a capable mitigation team.

Progent has an assortment of solutions for securing enterprises from ransomware penetrations. These include team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with artificial intelligence technology to automatically identify and suppress new cyber threats. Progent also offers the services of seasoned ransomware recovery consultants with the talent and perseverance to re-deploy a compromised network as soon as possible.

Progent's Ransomware Recovery Support Services
After a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will return the needed keys to decipher all your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the mission-critical elements of your IT environment. Without the availability of full data backups, this calls for a wide complement of skill sets, professional team management, and the ability to work continuously until the job is done.

For decades, Progent has offered certified expert IT services for companies in Lincoln and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience provides Progent the skills to rapidly ascertain critical systems and organize the remaining components of your IT environment after a crypto-ransomware attack and assemble them into an operational network.

Progent's ransomware group deploys powerful project management systems to coordinate the sophisticated restoration process. Progent knows the importance of acting swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get essential services back on-line as soon as humanly possible.

Client Story: A Successful Ransomware Attack Restoration
A client sought out Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, possibly using technology leaked from the United States NSA organization. Ryuk targets specific companies with little ability to sustain disruption and is among the most lucrative versions of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with around 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but in the end brought in Progent.


"I canít say enough about the care Progent gave us throughout the most critical period of (our) businesses existence. We would have paid the Hackers except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and essential applications back online faster than seven days was something I thought impossible. Each expert I interacted with or texted at Progent was totally committed on getting us restored and was working all day and night on our behalf."

Progent worked together with the customer to rapidly get our arms around and prioritize the key areas that needed to be recovered to make it possible to continue business operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then started the task of restoring Microsoft Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businessesí financials and MRP applications leveraged Microsoft SQL, which depends on Windows AD for authentication to the data.

In less than two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then accomplished reinstallations and hard drive recovery of key servers. All Exchange data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Data Files) on various desktop computers in order to recover email data. A not too old offline backup of the customerís accounting/MRP systems made them able to restore these required programs back online. Although a lot of work was left to recover fully from the Ryuk damage, essential services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer orders."

Throughout the following month critical milestones in the restoration process were completed through close collaboration between Progent consultants and the customer:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were 100% recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user PCs were operational.

"A lot of what was accomplished that first week is nearly entirely a fog for me, but our team will not soon forget the countless hours each and every one of the team accomplished to give us our company back. I have been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was the most impressive ever."

Conclusion
A potential business-killing catastrophe was dodged due to top-tier experts, a broad array of IT skills, and close teamwork. Although in post mortem the crypto-ransomware virus incident detailed here could have been identified and prevented with up-to-date cyber security technology and best practices, staff education, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), Iím grateful for making it so I could get some sleep after we got over the most critical parts. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Lincoln a variety of online monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence technology to uncover new strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud resources and provides a unified platform to manage the complete threat lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you prove compliance with government and industry information protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent can also help your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables rapid recovery of critical data, applications and VMs that have become lost or damaged due to hardware failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's BDR specialists can deliver world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPPA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to provide web-based management and world-class protection for your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of inspection for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, track, enhance and debug their networking appliances such as routers, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always updated, copies and displays the configuration of virtually all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating complex management and troubleshooting activities, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that require critical software patches, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your network operating at peak levels by checking the state of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 Lincoln Crypto-Ransomware Repair Support Services, contact Progent at 800-993-9400 or go to Contact Progent.