Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that poses an extinction-level danger for organizations unprepared for an attack. Versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to inflict havoc. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more unnamed newcomers, not only do encryption of on-line data files but also infect any configured system restores and backups. Files synched to cloud environments can also be corrupted. In a poorly designed data protection solution, it can render automatic restore operations impossible and basically sets the entire system back to zero.

Retrieving applications and information following a ransomware outage becomes a sprint against time as the victim tries its best to stop lateral movement and eradicate the crypto-ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware needs time to move laterally, penetrations are often launched on weekends, when attacks in many cases take more time to identify. This multiplies the difficulty of rapidly assembling and orchestrating a capable response team.

Progent has a variety of support services for protecting enterprises from ransomware penetrations. These include staff education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with AI technology to automatically discover and disable new threats. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the skills and commitment to restore a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the needed codes to unencrypt any of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the essential parts of your IT environment. Without access to essential data backups, this requires a broad complement of skill sets, top notch team management, and the willingness to work non-stop until the job is complete.

For two decades, Progent has offered professional IT services for businesses in Aurora and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience provides Progent the skills to rapidly understand important systems and organize the surviving components of your IT system following a ransomware attack and rebuild them into an operational network.

Progent's recovery group uses powerful project management applications to orchestrate the complex recovery process. Progent knows the urgency of acting swiftly and together with a customerís management and Information Technology team members to prioritize tasks and to put the most important services back online as fast as possible.

Business Case Study: A Successful Ransomware Attack Response
A customer contacted Progent after their organization was crashed by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting strategies leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited room for operational disruption and is among the most profitable versions of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has about 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately engaged Progent.


"I canít thank you enough about the expertise Progent provided us throughout the most critical time of (our) companyís life. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent team gave us. That you were able to get our e-mail and production servers back online in less than 1 week was something I thought impossible. Every single staff member I worked with or texted at Progent was hell bent on getting us back online and was working day and night to bail us out."

Progent worked together with the customer to quickly determine and assign priority to the critical services that needed to be recovered to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Email
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the work of restoring Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the client's accounting and MRP applications utilized Microsoft SQL, which needs Windows AD for authentication to the data.

In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery on mission critical applications. All Exchange schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Email Off-Line Folder Files) on user desktop computers and laptops to recover email information. A not too old off-line backup of the customerís accounting/ERP software made them able to return these vital applications back servicing users. Although major work needed to be completed to recover totally from the Ryuk attack, the most important systems were restored quickly:


"For the most part, the production operation showed little impact and we produced all customer deliverables."

During the next few weeks important milestones in the recovery project were accomplished in tight cooperation between Progent engineers and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely operational.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Nearly all of the user desktops and notebooks were operational.

"A huge amount of what happened in the initial days is mostly a blur for me, but our team will not soon forget the dedication each and every one of you put in to help get our company back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This time was a testament to your capabilities."

Conclusion
A probable company-ending disaster was dodged with dedicated experts, a wide array of IT skills, and tight collaboration. Although in hindsight the ransomware attack described here would have been disabled with up-to-date cyber security systems and security best practices, team education, and well thought out security procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get rested after we made it past the initial push. All of you did an impressive effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Aurora a range of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate modern AI technology to detect zero-day variants of crypto-ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to automate the entire malware attack progression including protection, identification, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your organization's specific needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and enables rapid restoration of vital data, apps and VMs that have become unavailable or corrupted as a result of hardware failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can provide advanced support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security vendors to deliver web-based management and world-class security for all your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, optimize and debug their networking hardware such as switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating devices that require critical software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management personnel and your assigned Progent engineering consultant so all potential issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Aurora 24/7/365 Crypto-Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.