Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses of all sizes unprepared for an attack. Multiple generations of crypto-ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause harm. More recent versions of ransomware like Ryuk and Hermes, as well as daily unnamed viruses, not only encrypt online files but also infiltrate any configured system protection mechanisms. Information synched to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render automatic restoration useless and effectively knocks the entire system back to square one.

Restoring services and data following a ransomware intrusion becomes a race against the clock as the targeted business struggles to contain the damage and cleanup the ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are frequently launched at night, when attacks in many cases take more time to uncover. This multiplies the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.

Progent makes available a range of solutions for securing enterprises from ransomware penetrations. Among these are team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with artificial intelligence capabilities to quickly detect and quarantine zero-day cyber threats. Progent in addition can provide the services of veteran ransomware recovery consultants with the track record and perseverance to rebuild a compromised system as soon as possible.

Progent's Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the codes to unencrypt any of your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the mission-critical parts of your Information Technology environment. Absent access to full data backups, this requires a wide range of skills, top notch project management, and the willingness to work continuously until the recovery project is finished.

For two decades, Progent has made available expert Information Technology services for businesses in Valencia and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise provides Progent the capability to quickly ascertain critical systems and re-organize the remaining parts of your computer network environment after a ransomware event and assemble them into an operational system.

Progent's ransomware team of experts uses powerful project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working quickly and in concert with a client's management and IT team members to prioritize tasks and to put critical systems back on-line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A client escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, possibly adopting approaches leaked from the United States National Security Agency. Ryuk targets specific companies with limited room for disruption and is among the most lucrative instances of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately brought in Progent.


"I cannot say enough in regards to the support Progent gave us throughout the most stressful period of (our) businesses survival. We may have had to pay the Hackers if it wasnít for the confidence the Progent group gave us. That you could get our messaging and production applications back into operation quicker than 1 week was something I thought impossible. Every single consultant I interacted with or messaged at Progent was totally committed on getting us back online and was working at all hours to bail us out."

Progent worked with the customer to quickly get our arms around and assign priority to the mission critical applications that needed to be restored in order to resume business operations:

  • Microsoft Active Directory
  • E-Mail
  • Financials/MRP
To begin, Progent adhered to Anti-virus penetration response industry best practices by isolating and performing virus removal steps. Progent then initiated the task of bringing back online Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customerís financials and MRP applications leveraged Microsoft SQL Server, which needs Active Directory for access to the information.

In less than two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then performed rebuilding and storage recovery on critical servers. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Off-Line Folder Files) on user desktop computers to recover email data. A recent off-line backup of the client's accounting/MRP systems made them able to recover these vital services back servicing users. Although major work still had to be done to recover totally from the Ryuk event, critical systems were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer deliverables."

Throughout the following couple of weeks important milestones in the restoration project were achieved through close cooperation between Progent consultants and the customer:

  • Internal web applications were restored without losing any data.
  • The MailStore Server exceeding 4 million archived emails was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were 100 percent operational.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the user desktops were operational.

"Much of what happened in the early hours is nearly entirely a fog for me, but my team will not soon forget the urgency each of you accomplished to help get our business back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was a stunning achievement."

Conclusion
A possible company-ending catastrophe was averted through the efforts of hard-working experts, a wide range of subject matter expertise, and close teamwork. Although in retrospect the ransomware incident detailed here should have been identified and stopped with advanced cyber security technology and recognized best practices, user training, and properly executed incident response procedures for information protection and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it through the initial fire. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Valencia a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation machine learning technology to detect new strains of crypto-ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent's consultants can also help you to install and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical files, applications and virtual machines that have become lost or corrupted due to hardware failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to deliver web-based management and world-class security for all your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, track, enhance and debug their connectivity appliances like routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating tedious management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating devices that require important software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT staff and your assigned Progent engineering consultant so that any potential problems can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect information related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Valencia 24x7 Crypto-Ransomware Recovery Experts, contact Progent at 800-993-9400 or go to Contact Progent.