Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an extinction-level danger for organizations vulnerable to an assault. Versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus additional unnamed viruses, not only do encryption of on-line files but also infiltrate all available system protection mechanisms. Files replicated to the cloud can also be corrupted. In a poorly designed system, it can render automatic recovery useless and effectively sets the network back to zero.

Recovering applications and information following a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and clear the virus and to restore mission-critical activity. Due to the fact that crypto-ransomware requires time to move laterally, penetrations are frequently sprung during weekends and nights, when successful attacks may take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating a capable mitigation team.

Progent has a range of services for protecting organizations from crypto-ransomware events. Among these are team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security solutions with AI capabilities to rapidly identify and extinguish day-zero threats. Progent also offers the assistance of experienced crypto-ransomware recovery engineers with the talent and commitment to re-deploy a breached network as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to decipher any of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the critical components of your IT environment. Absent access to essential system backups, this requires a broad range of skill sets, top notch team management, and the willingness to work continuously until the recovery project is finished.

For twenty years, Progent has provided certified expert Information Technology services for businesses in Midland and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise provides Progent the capability to efficiently understand necessary systems and re-organize the remaining parts of your computer network environment after a crypto-ransomware event and rebuild them into an operational network.

Progent's ransomware team of experts has top notch project management applications to coordinate the complicated recovery process. Progent understands the importance of acting swiftly and together with a client's management and IT team members to assign priority to tasks and to get key applications back online as soon as humanly possible.

Client Case Study: A Successful Ransomware Virus Restoration
A business engaged Progent after their network was taken over by Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, suspected of using approaches exposed from Americaís NSA organization. Ryuk attacks specific companies with little room for operational disruption and is one of the most profitable examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for good luck, but ultimately utilized Progent.


"I cannot speak enough in regards to the expertise Progent provided us throughout the most fearful time of (our) businesses survival. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent team provided us. That you were able to get our messaging and key servers back into operation in less than one week was incredible. Each expert I interacted with or e-mailed at Progent was totally committed on getting us restored and was working non-stop to bail us out."

Progent worked hand in hand the customer to quickly identify and prioritize the critical services that had to be restored in order to resume departmental operations:

  • Active Directory
  • Email
  • MRP System
To get going, Progent adhered to ransomware event mitigation best practices by stopping the spread and clearing infected systems. Progent then started the work of restoring Microsoft AD, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the customerís MRP applications utilized SQL Server, which needs Active Directory services for access to the data.

In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform rebuilding and storage recovery on essential servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on team workstations in order to recover mail messages. A recent offline backup of the customerís accounting/MRP systems made it possible to return these required programs back servicing users. Although significant work remained to recover fully from the Ryuk damage, core services were recovered quickly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer orders."

During the next couple of weeks key milestones in the restoration process were accomplished through tight collaboration between Progent team members and the customer:

  • Internal web sites were restored with no loss of information.
  • The MailStore Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were 100% operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"Much of what transpired during the initial response is mostly a blur for me, but our team will not forget the dedication each and every one of the team put in to help get our business back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely business catastrophe was avoided by results-oriented experts, a broad range of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here could have been shut down with advanced security technology and recognized best practices, user and IT administrator training, and properly executed security procedures for information protection and applying software patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thank you for letting me get rested after we made it over the initial push. Everyone did an incredible effort, and if any of your guys is in the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Midland a variety of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services incorporate modern machine learning capability to detect zero-day variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the complete malware attack progression including filtering, identification, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you prove compliance with legal and industry data security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also assist you to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates your backup activities and allows fast restoration of vital files, apps and virtual machines that have become unavailable or corrupted due to component breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when necessary, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to provide web-based control and world-class security for all your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, locating devices that require important software patches, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network operating efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that all looming issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Midland Ransomware Remediation Services, contact Progent at 800-993-9400 or go to Contact Progent.