Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that presents an existential threat for businesses vulnerable to an assault. Versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still inflict damage. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as frequent unnamed viruses, not only do encryption of online data files but also infect most configured system protection mechanisms. Information replicated to the cloud can also be corrupted. In a vulnerable data protection solution, this can render automated restoration hopeless and basically sets the network back to zero.

Recovering programs and data following a ransomware outage becomes a race against time as the targeted business fights to contain the damage and cleanup the virus and to restore business-critical activity. Because crypto-ransomware takes time to move laterally, penetrations are usually sprung on weekends, when penetrations tend to take longer to detect. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable response team.

Progent offers a range of help services for protecting organizations from ransomware events. These include team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security appliances with AI technology to automatically detect and disable new threats. Progent also can provide the assistance of experienced ransomware recovery consultants with the talent and perseverance to restore a breached system as soon as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to decrypt any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to piece back together the vital parts of your Information Technology environment. Absent the availability of complete data backups, this requires a broad range of skills, professional project management, and the willingness to work non-stop until the task is completed.

For two decades, Progent has made available professional IT services for businesses in Cheyenne and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise gives Progent the capability to knowledgably determine important systems and consolidate the remaining components of your network environment after a ransomware penetration and configure them into a functioning system.

Progent's security team uses state-of-the-art project management tools to coordinate the complex recovery process. Progent appreciates the importance of working swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to get key systems back online as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Attack Recovery
A client sought out Progent after their organization was crashed by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state criminal gangs, suspected of using technology leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with limited ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with about 500 employees. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's backups had been online at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and praying for the best, but ultimately called Progent.


"I canít thank you enough about the help Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group provided us. That you could get our e-mail and production servers back online quicker than five days was incredible. Every single expert I got help from or texted at Progent was amazingly focused on getting us restored and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly determine and assign priority to the mission critical applications that had to be addressed to make it possible to resume departmental operations:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed ransomware incident response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the work of bringing back online Windows Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Exchange email will not operate without AD, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the database.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery of the most important applications. All Exchange ties and configuration information were intact, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Off-Line Folder Files) on team PCs and laptops to recover mail information. A recent offline backup of the businesses financials/MRP systems made it possible to restore these vital applications back online. Although significant work was left to recover fully from the Ryuk damage, the most important services were recovered rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer deliverables."

During the following month critical milestones in the restoration process were made through tight collaboration between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully restored.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the user workstations were functioning as before the incident.

"So much of what transpired that first week is mostly a haze for me, but we will not soon forget the care all of your team put in to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A probable enterprise-killing disaster was dodged due to dedicated professionals, a broad array of knowledge, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration described here should have been prevented with modern cyber security solutions and NIST Cybersecurity Framework best practices, team training, and well thought out incident response procedures for data backup and applying software patches, the reality remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get rested after we made it through the most critical parts. All of you did an impressive effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Cheyenne a variety of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to detect new variants of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and offers a unified platform to address the entire threat lifecycle including protection, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate action. Progent can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates your backup processes and allows rapid restoration of vital data, apps and virtual machines that have become lost or damaged as a result of hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's BDR consultants can deliver advanced support to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to provide web-based control and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard combines cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, optimize and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when issues are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, finding appliances that need important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24-Hour Cheyenne Crypto Remediation Help, call Progent at 800-993-9400 or go to Contact Progent.