Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Versions of crypto-ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and still cause destruction. Recent variants of ransomware like Ryuk and Hermes, along with more as yet unnamed malware, not only do encryption of on-line data but also infect all accessible system protection. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, this can make automated restore operations hopeless and basically knocks the entire system back to zero.

Restoring services and information following a ransomware event becomes a race against the clock as the targeted business struggles to stop the spread and clear the ransomware and to resume business-critical operations. Since ransomware needs time to replicate, attacks are usually sprung at night, when attacks may take more time to recognize. This compounds the difficulty of quickly mobilizing and coordinating a capable response team.

Progent makes available an assortment of support services for securing enterprises from ransomware penetrations. These include team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with AI technology to automatically discover and extinguish zero-day threats. Progent in addition provides the assistance of experienced ransomware recovery consultants with the talent and commitment to rebuild a breached network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the needed keys to unencrypt any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the key components of your IT environment. Absent access to essential data backups, this calls for a broad range of IT skills, well-coordinated project management, and the capability to work continuously until the task is done.

For decades, Progent has provided certified expert IT services for companies in Midland and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise provides Progent the capability to rapidly ascertain important systems and organize the surviving parts of your network system after a ransomware attack and assemble them into a functioning network.

Progent's ransomware group utilizes state-of-the-art project management tools to orchestrate the complex restoration process. Progent appreciates the urgency of acting rapidly and in concert with a customerís management and IT team members to prioritize tasks and to get the most important systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Restoration
A customer escalated to Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state criminal gangs, suspected of using techniques leaked from Americaís NSA organization. Ryuk goes after specific companies with little ability to sustain operational disruption and is one of the most lucrative iterations of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom (more than $200K) and hoping for the best, but in the end brought in Progent.


"I canít tell you enough in regards to the support Progent provided us during the most stressful period of (our) companyís existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group gave us. That you were able to get our messaging and important applications back on-line in less than seven days was something I thought impossible. Every single expert I worked with or communicated with at Progent was hell bent on getting our company operational and was working day and night on our behalf."

Progent worked with the client to quickly identify and assign priority to the most important elements that had to be recovered to make it possible to resume business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent followed AV/Malware Processes incident response best practices by isolating and clearing infected systems. Progent then initiated the process of restoring Windows Active Directory, the heart of enterprise networks built upon Microsoft technology. Exchange email will not function without Active Directory, and the client's MRP applications leveraged Microsoft SQL, which depends on Active Directory services for access to the databases.

Within 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery of mission critical applications. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Folder Files) on user PCs and laptops to recover email information. A recent offline backup of the client's manufacturing software made it possible to return these vital services back online. Although major work needed to be completed to recover completely from the Ryuk event, critical systems were returned to operations rapidly:


"For the most part, the production operation showed little impact and we delivered all customer orders."

Throughout the following month critical milestones in the recovery process were accomplished through tight cooperation between Progent engineers and the customer:

  • In-house web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control capabilities were completely restored.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the user PCs were fully operational.

"A lot of what transpired those first few days is mostly a fog for me, but my team will not forget the care all of you put in to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This event was a Herculean accomplishment."

Conclusion
A likely business-ending catastrophe was evaded due to top-tier professionals, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware incident detailed here would have been shut down with current cyber security technology and security best practices, user and IT administrator training, and appropriate security procedures for backup and proper patching controls, the fact is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for making it so I could get rested after we made it past the most critical parts. All of you did an amazing job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Midland a range of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence capability to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including blocking, identification, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates your backup processes and allows rapid recovery of vital files, applications and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security companies to deliver centralized management and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating tedious network management activities, WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that require critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so any potential issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Midland CryptoLocker Cleanup Consultants, contact Progent at 800-993-9400 or go to Contact Progent.