Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that presents an extinction-level danger for businesses unprepared for an assault. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still cause havoc. More recent variants of ransomware such as Ryuk and Hermes, as well as more unnamed malware, not only do encryption of online data but also infiltrate any configured system protection mechanisms. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected system, this can make automatic recovery impossible and effectively sets the datacenter back to square one.

Retrieving applications and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop the spread and remove the crypto-ransomware and to resume enterprise-critical activity. Since ransomware requires time to move laterally, assaults are frequently launched on weekends and holidays, when penetrations are likely to take more time to identify. This compounds the difficulty of promptly mobilizing and orchestrating a capable response team.

Progent provides a variety of solutions for protecting businesses from crypto-ransomware penetrations. Among these are team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with AI capabilities to rapidly discover and disable zero-day cyber threats. Progent also offers the services of seasoned ransomware recovery professionals with the track record and perseverance to restore a compromised environment as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the codes to unencrypt any of your information. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the vital parts of your Information Technology environment. Without the availability of full information backups, this requires a broad range of skills, well-coordinated team management, and the willingness to work continuously until the job is finished.

For twenty years, Progent has made available professional Information Technology services for companies in Memphis and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience provides Progent the capability to knowledgably identify necessary systems and consolidate the surviving pieces of your IT environment following a crypto-ransomware event and assemble them into an operational system.

Progent's recovery group deploys best of breed project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of working quickly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put key services back on line as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Incident Restoration
A customer escalated to Progent after their company was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, possibly adopting techniques leaked from Americaís NSA organization. Ryuk attacks specific organizations with little ability to sustain operational disruption and is among the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with about 500 workers. The Ryuk event had disabled all essential operations and manufacturing processes. Most of the client's data protection had been online at the start of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for the best, but ultimately called Progent.


"I canít tell you enough about the support Progent provided us during the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals except for the confidence the Progent team provided us. The fact that you were able to get our e-mail and important applications back on-line sooner than 1 week was incredible. Each expert I spoke to or messaged at Progent was amazingly focused on getting our system up and was working 24/7 to bail us out."

Progent worked with the customer to quickly identify and assign priority to the key elements that had to be addressed to make it possible to restart company operations:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To begin, Progent followed AV/Malware Processes event response best practices by stopping the spread and removing active viruses. Progent then started the task of restoring Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's financials and MRP system used Microsoft SQL, which depends on Active Directory services for authentication to the information.

In less than two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then helped perform rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on team workstations and laptops in order to recover mail information. A not too old offline backup of the businesses accounting/MRP systems made them able to recover these vital programs back available to users. Although a lot of work still had to be done to recover totally from the Ryuk attack, essential services were returned to operations rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer shipments."

Over the following month key milestones in the recovery project were made through tight collaboration between Progent consultants and the client:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Exchange Server with over four million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were 100 percent functional.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the user PCs were functioning as before the incident.

"A lot of what occurred during the initial response is mostly a blur for me, but our team will not soon forget the dedication each of you accomplished to help get our business back. Iíve entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A potential company-ending catastrophe was dodged due to results-oriented experts, a broad range of subject matter expertise, and tight teamwork. Although in post mortem the ransomware virus attack detailed here would have been prevented with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well designed security procedures for backup and proper patching controls, the fact is that state-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we made it over the first week. All of you did an amazing job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Memphis a range of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services include modern artificial intelligence technology to uncover new variants of crypto-ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP environment that addresses your organization's unique needs and that allows you prove compliance with legal and industry information protection regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical data, applications and VMs that have become unavailable or corrupted due to hardware failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when necessary, can assist you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based control and comprehensive protection for all your email traffic. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, enhance and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating tedious management processes, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that need critical updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT staff and your assigned Progent consultant so any potential issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Read more about ProSight IT Asset Management service.
For Memphis 24x7x365 Ransomware Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.