Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for organizations unprepared for an assault. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. More recent versions of ransomware such as Ryuk and Hermes, as well as frequent as yet unnamed malware, not only do encryption of online files but also infect all configured system backups. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can render any restore operations impossible and basically sets the network back to square one.

Restoring applications and data after a ransomware outage becomes a race against time as the targeted organization struggles to contain the damage and clear the ransomware and to resume mission-critical operations. Because crypto-ransomware needs time to replicate, attacks are often launched on weekends, when attacks are likely to take more time to discover. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable response team.

Progent makes available a range of services for securing organizations from ransomware events. Among these are team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with artificial intelligence technology to rapidly identify and disable zero-day cyber threats. Progent also offers the services of experienced crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed codes to decipher any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the mission-critical elements of your Information Technology environment. Without the availability of complete data backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work non-stop until the job is finished.

For twenty years, Progent has made available expert IT services for businesses in Memphis and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise gives Progent the skills to knowledgably ascertain necessary systems and consolidate the surviving components of your computer network system after a crypto-ransomware event and rebuild them into a functioning network.

Progent's security team of experts uses powerful project management tools to orchestrate the sophisticated recovery process. Progent understands the importance of acting quickly and in unison with a customerís management and Information Technology staff to prioritize tasks and to put key systems back on-line as soon as humanly possible.

Case Study: A Successful Ransomware Attack Restoration
A customer engaged Progent after their organization was penetrated by the Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean government sponsored hackers, suspected of using techniques exposed from the United States National Security Agency. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is among the most lucrative versions of crypto-ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago with about 500 workers. The Ryuk event had brought down all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (exceeding $200K) and hoping for the best, but in the end engaged Progent.


"I cannot say enough in regards to the support Progent gave us throughout the most stressful time of (our) businesses existence. We most likely would have paid the criminal gangs except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and essential applications back in less than a week was something I thought impossible. Every single staff member I talked with or communicated with at Progent was absolutely committed on getting us back online and was working non-stop on our behalf."

Progent worked hand in hand the client to rapidly determine and prioritize the critical applications that needed to be addressed in order to resume company operations:

  • Microsoft Active Directory
  • Email
  • MRP System
To start, Progent adhered to ransomware event mitigation best practices by isolating and removing active viruses. Progent then started the work of bringing back online Microsoft AD, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the client's financials and MRP software utilized Microsoft SQL Server, which depends on Windows AD for access to the databases.

Within two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery of mission critical applications. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Folder Files) on user workstations in order to recover mail data. A recent offline backup of the businesses financials/MRP systems made them able to restore these essential programs back online for users. Although a lot of work still had to be done to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer deliverables."

During the next few weeks key milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:

  • Internal web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were completely operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"A lot of what went on that first week is mostly a fog for me, but we will not soon forget the urgency each and every one of your team accomplished to give us our business back. Iíve trusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business extinction disaster was averted with hard-working experts, a broad range of subject matter expertise, and tight collaboration. Although in post mortem the ransomware incident detailed here should have been identified and blocked with up-to-date security technology and best practices, team education, and appropriate incident response procedures for data protection and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for letting me get rested after we got past the most critical parts. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Memphis a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services include modern machine learning capability to detect zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to automate the entire malware attack progression including protection, detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup activities and allows rapid restoration of vital files, applications and virtual machines that have become unavailable or corrupted due to hardware failures, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can help you to restore your critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to provide web-based control and comprehensive protection for all your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a further layer of inspection for inbound email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating devices that need important software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the state of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time spent looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Memphis 24x7x365 Crypto Removal Consulting, call Progent at 800-993-9400 or go to Contact Progent.