Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that presents an enterprise-level danger for businesses of all sizes unprepared for an attack. Different versions of ransomware like the Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause havoc. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as more as yet unnamed newcomers, not only encrypt online data but also infect most accessible system backups. Files synchronized to cloud environments can also be corrupted. In a vulnerable data protection solution, it can make automated restore operations hopeless and effectively sets the entire system back to zero.

Recovering applications and data following a ransomware outage becomes a sprint against time as the targeted business tries its best to contain and cleanup the virus and to restore enterprise-critical operations. Since ransomware takes time to move laterally, attacks are often launched during weekends and nights, when successful penetrations typically take more time to detect. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable response team.

Progent offers a range of services for protecting businesses from ransomware attacks. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security appliances with AI technology to automatically identify and disable zero-day cyber threats. Progent in addition can provide the assistance of experienced ransomware recovery consultants with the track record and perseverance to re-deploy a compromised network as soon as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that distant criminals will return the needed keys to unencrypt any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the key components of your IT environment. Without access to full data backups, this requires a broad range of skill sets, well-coordinated project management, and the willingness to work continuously until the task is complete.

For twenty years, Progent has made available professional IT services for companies in Palo Alto and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently identify critical systems and integrate the surviving pieces of your network environment following a crypto-ransomware penetration and rebuild them into a functioning network.

Progent's security team of experts utilizes powerful project management applications to coordinate the complex recovery process. Progent appreciates the urgency of working rapidly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to get key services back on line as fast as possible.

Case Study: A Successful Crypto-Ransomware Incident Response
A client contacted Progent after their organization was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored criminal gangs, possibly using approaches exposed from Americaís NSA organization. Ryuk attacks specific companies with little tolerance for operational disruption and is one of the most profitable versions of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has around 500 employees. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and praying for the best, but ultimately engaged Progent.


"I cannot tell you enough about the expertise Progent gave us during the most critical period of (our) companyís life. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent team afforded us. The fact that you could get our e-mail and key servers back online faster than 1 week was earth shattering. Each expert I spoke to or communicated with at Progent was laser focused on getting our company operational and was working non-stop on our behalf."

Progent worked together with the customer to quickly understand and prioritize the most important elements that had to be recovered to make it possible to continue company functions:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes penetration response industry best practices by halting the spread and disinfecting systems. Progent then initiated the process of recovering Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís MRP applications used Microsoft SQL Server, which needs Windows AD for authentication to the databases.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and storage recovery on key systems. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on team PCs and laptops in order to recover email information. A recent off-line backup of the businesses financials/MRP software made it possible to return these required applications back servicing users. Although significant work still had to be done to recover totally from the Ryuk attack, the most important systems were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer orders."

During the next few weeks critical milestones in the recovery process were made through tight collaboration between Progent team members and the customer:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought online and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were fully operational.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the user PCs were back into operation.

"So much of what transpired during the initial response is nearly entirely a haze for me, but I will not soon forget the countless hours each of you put in to help get our business back. I have trusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a life saver."

Conclusion
A possible business-ending disaster was dodged with dedicated professionals, a wide range of subject matter expertise, and close teamwork. Although in hindsight the crypto-ransomware virus incident detailed here could have been identified and disabled with modern cyber security solutions and NIST Cybersecurity Framework best practices, staff education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get rested after we made it through the initial push. Everyone did an fabulous job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Palo Alto a portfolio of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation machine learning capability to uncover new strains of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to automate the entire threat progression including filtering, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you prove compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also help you to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates your backup processes and allows fast restoration of vital files, apps and virtual machines that have become unavailable or corrupted due to component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class support to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can help you to restore your business-critical information. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to provide web-based management and comprehensive protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, track, reconfigure and debug their connectivity hardware like routers, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that need critical updates, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT staff and your assigned Progent consultant so all potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can eliminate as much as 50% of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Palo Alto 24/7 CryptoLocker Recovery Consultants, contact Progent at 800-993-9400 or go to Contact Progent.