Ransomware : Your Worst IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that represents an extinction-level threat for organizations unprepared for an attack. Different versions of ransomware such as Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict damage. Newer versions of ransomware such as Ryuk and Hermes, plus additional as yet unnamed malware, not only encrypt on-line files but also infect all available system restores and backups. Data replicated to cloud environments can also be corrupted. In a vulnerable environment, it can make any restoration impossible and effectively sets the network back to zero.

Recovering programs and data after a ransomware event becomes a race against time as the targeted business struggles to stop the spread and eradicate the crypto-ransomware and to restore mission-critical activity. Since crypto-ransomware takes time to spread, penetrations are often launched at night, when successful penetrations may take more time to identify. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.

Progent has a range of help services for protecting businesses from ransomware events. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI technology to rapidly detect and quarantine zero-day threats. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the track record and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will return the needed keys to decrypt all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the key parts of your Information Technology environment. Without the availability of essential system backups, this requires a broad range of IT skills, top notch project management, and the willingness to work 24x7 until the task is done.

For two decades, Progent has offered expert IT services for companies in Plano and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise gives Progent the capability to rapidly understand important systems and consolidate the surviving components of your IT system after a crypto-ransomware attack and assemble them into a functioning network.

Progent's ransomware group utilizes best of breed project management tools to orchestrate the complex recovery process. Progent understands the urgency of acting quickly and in concert with a customerís management and IT team members to assign priority to tasks and to get critical services back online as fast as possible.

Customer Story: A Successful Ransomware Incident Recovery
A customer sought out Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, suspected of adopting technology leaked from Americaís NSA organization. Ryuk seeks specific companies with little or no tolerance for operational disruption and is among the most lucrative examples of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago and has about 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200K) and hoping for the best, but in the end made the decision to use Progent.


"I cannot say enough in regards to the care Progent gave us during the most fearful time of (our) companyís survival. We would have paid the criminal gangs if not for the confidence the Progent group gave us. That you were able to get our e-mail system and key applications back online in less than 1 week was earth shattering. Each person I spoke to or communicated with at Progent was totally committed on getting us back on-line and was working all day and night on our behalf."

Progent worked together with the customer to quickly understand and prioritize the essential systems that had to be recovered in order to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event mitigation best practices by stopping lateral movement and disinfecting systems. Progent then started the work of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without AD, and the businessesí accounting and MRP system leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the databases.

In less than 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then performed reinstallations and storage recovery on the most important applications. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Off-Line Folder Files) on staff workstations and laptops in order to recover email information. A not too old off-line backup of the customerís manufacturing software made it possible to recover these required services back on-line. Although a lot of work was left to recover fully from the Ryuk attack, the most important systems were recovered rapidly:


"For the most part, the production line operation showed little impact and we delivered all customer orders."

Throughout the following month critical milestones in the recovery project were made through tight collaboration between Progent team members and the client:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Server with over 4 million archived messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the user workstations were functioning as before the incident.

"A huge amount of what was accomplished during the initial response is nearly entirely a fog for me, but my team will not soon forget the dedication each and every one of you put in to give us our company back. Iíve trusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A likely business-killing disaster was avoided by hard-working professionals, a wide array of technical expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here could have been identified and stopped with advanced cyber security systems and security best practices, user and IT administrator training, and properly executed incident response procedures for backup and applying software patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), Iím grateful for letting me get some sleep after we got through the most critical parts. Everyone did an impressive effort, and if anyone that helped is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Plano a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include modern machine learning technology to detect zero-day variants of crypto-ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and provides a single platform to manage the complete threat lifecycle including protection, detection, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also help your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates your backup processes and enables fast recovery of critical files, applications and VMs that have become lost or corrupted as a result of component failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide world-class expertise to configure ProSight DPS to to comply with regulatory requirements like HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to deliver centralized management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding appliances that need critical updates, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so any potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect data related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Plano Crypto Removal Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.