Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that poses an extinction-level danger for organizations poorly prepared for an attack. Different versions of crypto-ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause havoc. More recent variants of ransomware such as Ryuk and Hermes, along with daily unnamed malware, not only encrypt online information but also infect all accessible system restores and backups. Files replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, it can make automated restore operations impossible and effectively sets the network back to square one.

Retrieving programs and data after a ransomware intrusion becomes a sprint against time as the victim struggles to contain and cleanup the crypto-ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are usually sprung on weekends and holidays, when penetrations tend to take longer to discover. This compounds the difficulty of quickly mobilizing and coordinating a qualified response team.

Progent provides a variety of services for securing enterprises from ransomware penetrations. Among these are staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with machine learning technology to automatically detect and disable new cyber threats. Progent also provides the assistance of expert ransomware recovery engineers with the skills and perseverance to rebuild a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the needed keys to decrypt all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be around $13,000. The other path is to re-install the mission-critical components of your IT environment. Without access to full system backups, this calls for a broad range of skills, top notch team management, and the willingness to work 24x7 until the job is finished.

For two decades, Progent has made available expert Information Technology services for companies in Mobile and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently ascertain critical systems and integrate the remaining pieces of your computer network system after a ransomware event and rebuild them into an operational system.

Progent's ransomware team uses top notch project management systems to coordinate the complicated restoration process. Progent knows the urgency of acting quickly and together with a customerís management and IT resources to assign priority to tasks and to put essential services back on-line as soon as humanly possible.

Client Story: A Successful Ransomware Attack Recovery
A client hired Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state cybercriminals, suspected of adopting technology leaked from the U.S. National Security Agency. Ryuk targets specific companies with little or no room for disruption and is among the most lucrative incarnations of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk intrusion had disabled all company operations and manufacturing processes. The majority of the client's system backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately brought in Progent.


"I cannot thank you enough about the expertise Progent gave us during the most stressful time of (our) companyís survival. We had little choice but to pay the cyber criminals except for the confidence the Progent team gave us. The fact that you could get our messaging and essential applications back faster than one week was incredible. Every single person I interacted with or messaged at Progent was totally committed on getting my company operational and was working at all hours on our behalf."

Progent worked together with the client to rapidly identify and assign priority to the key services that had to be restored in order to restart company functions:

  • Windows Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed AV/Malware Processes incident response best practices by stopping the spread and removing active viruses. Progent then began the task of rebuilding Windows Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businessesí accounting and MRP software utilized Microsoft SQL Server, which requires Active Directory for access to the databases.

Within two days, Progent was able to recover Active Directory to its pre-attack state. Progent then performed rebuilding and hard drive recovery on critical servers. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Offline Data Files) on staff PCs and laptops in order to recover email information. A not too old offline backup of the client's accounting systems made them able to recover these vital applications back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, the most important systems were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we produced all customer orders."

Throughout the following month important milestones in the restoration process were accomplished through tight collaboration between Progent team members and the customer:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Exchange Server containing more than 4 million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were 100% recovered.
  • A new Palo Alto 850 firewall was installed.
  • Nearly all of the user PCs were functioning as before the incident.

"A huge amount of what was accomplished in the initial days is nearly entirely a blur for me, but our team will not soon forget the commitment all of you put in to help get our company back. I have trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This time was a stunning achievement."

Conclusion
A potential enterprise-killing catastrophe was evaded through the efforts of dedicated professionals, a broad spectrum of knowledge, and close teamwork. Although in post mortem the crypto-ransomware incident detailed here could have been disabled with current security technology and security best practices, user training, and properly executed security procedures for data backup and proper patching controls, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for letting me get some sleep after we made it through the initial fire. All of you did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Mobile a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to manage the complete threat lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of critical files, apps and virtual machines that have become unavailable or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can provide world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to recover your critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide centralized control and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT staff and your assigned Progent consultant so that all potential problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Mobile Ransomware Recovery Help, reach out to Progent at 800-993-9400 or go to Contact Progent.