Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that represents an extinction-level danger for organizations vulnerable to an assault. Versions of crypto-ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and still cause harm. The latest strains of ransomware like Ryuk and Hermes, as well as more unnamed newcomers, not only do encryption of on-line files but also infiltrate most accessible system protection mechanisms. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can render automated restore operations impossible and effectively knocks the datacenter back to square one.

Getting back on-line applications and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain and clear the ransomware and to restore business-critical activity. Because ransomware takes time to spread, attacks are often launched on weekends and holidays, when attacks may take longer to uncover. This multiplies the difficulty of quickly assembling and coordinating a qualified response team.

Progent has a range of help services for securing businesses from ransomware penetrations. Among these are team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI capabilities to automatically detect and quarantine zero-day threats. Progent in addition can provide the services of seasoned ransomware recovery engineers with the talent and commitment to restore a compromised system as soon as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the codes to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the mission-critical components of your Information Technology environment. Absent the availability of complete data backups, this calls for a wide range of skill sets, well-coordinated project management, and the capability to work continuously until the recovery project is over.

For decades, Progent has offered expert Information Technology services for companies in Norfolk and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of experience gives Progent the skills to rapidly ascertain necessary systems and organize the surviving parts of your IT system following a ransomware event and assemble them into an operational system.

Progent's ransomware team uses state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the importance of acting quickly and in concert with a customerís management and IT staff to prioritize tasks and to put the most important applications back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Penetration Restoration
A small business engaged Progent after their company was crashed by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, suspected of adopting techniques leaked from the United States National Security Agency. Ryuk seeks specific companies with little ability to sustain operational disruption and is one of the most profitable iterations of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing processes. The majority of the client's system backups had been online at the start of the attack and were damaged. The client considered paying the ransom (more than $200,000) and praying for good luck, but in the end engaged Progent.


"I canít say enough in regards to the expertise Progent provided us during the most fearful time of (our) companyís survival. We most likely would have paid the hackers behind this attack except for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and key applications back into operation sooner than one week was something I thought impossible. Each staff member I interacted with or messaged at Progent was laser focused on getting us working again and was working 24 by 7 on our behalf."

Progent worked together with the customer to quickly understand and prioritize the mission critical services that needed to be restored in order to continue company operations:

  • Active Directory
  • Exchange Server
  • Financials/MRP
To get going, Progent followed AV/Malware Processes event response best practices by halting lateral movement and clearing infected systems. Progent then initiated the work of restoring Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange email will not function without Active Directory, and the customerís financials and MRP system leveraged Microsoft SQL Server, which requires Active Directory for authentication to the databases.

Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then charged ahead with setup and hard drive recovery on key applications. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover email data. A not too old offline backup of the client's manufacturing systems made them able to restore these required services back online. Although major work still had to be done to recover totally from the Ryuk virus, essential systems were recovered rapidly:


"For the most part, the production line operation did not miss a beat and we delivered all customer deliverables."

During the following month critical milestones in the restoration project were made through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were returned to operation with no loss of data.
  • The MailStore Server with over 4 million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control modules were fully operational.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user desktops and notebooks were fully operational.

"So much of what was accomplished those first few days is nearly entirely a fog for me, but my team will not forget the commitment each of the team put in to give us our business back. Iíve been working with Progent for the past ten years, maybe more, and each time Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A possible enterprise-killing catastrophe was avoided by results-oriented experts, a broad spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here could have been identified and prevented with modern cyber security technology solutions and security best practices, user and IT administrator education, and well designed incident response procedures for backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get some sleep after we got past the first week. All of you did an fabulous job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Norfolk a variety of remote monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence capability to detect zero-day variants of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the entire threat progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you demonstrate compliance with government and industry data security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup activities and enables fast restoration of critical data, applications and VMs that have become lost or corrupted due to hardware breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can provide advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide centralized management and comprehensive security for your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of analysis for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, monitor, enhance and debug their connectivity hardware such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when problems are detected. By automating tedious network management processes, WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that require critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 Norfolk Ransomware Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.