Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that presents an existential danger for organizations poorly prepared for an assault. Different versions of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to inflict destruction. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus more unnamed newcomers, not only encrypt online data files but also infect all accessible system restores and backups. Data synchronized to the cloud can also be ransomed. In a poorly designed system, this can render any restoration useless and effectively sets the entire system back to square one.

Getting back online services and information following a crypto-ransomware event becomes a sprint against time as the victim fights to contain and eradicate the crypto-ransomware and to resume business-critical activity. Because ransomware requires time to spread, penetrations are frequently launched on weekends, when successful attacks are likely to take longer to discover. This compounds the difficulty of promptly mobilizing and organizing an experienced mitigation team.

Progent offers an assortment of services for securing organizations from ransomware penetrations. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with machine learning capabilities to automatically identify and suppress new cyber attacks. Progent also provides the services of veteran crypto-ransomware recovery engineers with the track record and perseverance to restore a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to decipher any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full information backups, this calls for a wide complement of skill sets, well-coordinated team management, and the willingness to work continuously until the recovery project is over.

For twenty years, Progent has made available expert Information Technology services for businesses in Scottsdale and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise affords Progent the ability to rapidly determine important systems and organize the remaining components of your computer network environment after a crypto-ransomware attack and rebuild them into a functioning network.

Progent's security team has powerful project management tools to coordinate the complex recovery process. Progent understands the urgency of working swiftly and in concert with a client's management and IT resources to prioritize tasks and to get essential services back online as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Incident Response
A customer escalated to Progent after their network system was brought down by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean government sponsored criminal gangs, suspected of adopting approaches leaked from the U.S. National Security Agency. Ryuk goes after specific companies with little ability to sustain operational disruption and is one of the most profitable incarnations of crypto-ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago and has about 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's backups had been online at the beginning of the attack and were destroyed. The client considered paying the ransom (exceeding $200K) and praying for good luck, but in the end called Progent.


"I canít speak enough in regards to the help Progent gave us during the most critical time of (our) businesses survival. We most likely would have paid the hackers behind this attack if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and key applications back into operation faster than five days was something I thought impossible. Each expert I got help from or communicated with at Progent was urgently focused on getting us back on-line and was working at all hours to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the key areas that had to be restored in order to continue company operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent adhered to Anti-virus penetration response best practices by isolating and clearing up compromised systems. Progent then began the work of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange email will not operate without AD, and the client's accounting and MRP applications used Microsoft SQL Server, which depends on Windows AD for security authorization to the database.

Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then initiated setup and storage recovery of the most important systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Offline Data Files) on user PCs in order to recover email information. A recent offline backup of the businesses financials/ERP systems made it possible to restore these essential programs back online. Although major work remained to recover totally from the Ryuk damage, core systems were returned to operations rapidly:


"For the most part, the assembly line operation did not miss a beat and we produced all customer orders."

During the following couple of weeks important milestones in the restoration project were made through tight collaboration between Progent team members and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the user desktops were fully operational.

"So much of what transpired those first few days is nearly entirely a fog for me, but my team will not forget the commitment each of you put in to give us our company back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered as promised. This time was a stunning achievement."

Conclusion
A possible business-killing disaster was averted with top-tier professionals, a broad range of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus incident detailed here should have been identified and blocked with advanced cyber security technology and ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has substantial experience in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), Iím grateful for allowing me to get rested after we got over the first week. Everyone did an fabulous job, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Scottsdale a variety of remote monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services include next-generation machine learning technology to detect zero-day variants of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including protection, detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of critical files, applications and VMs that have become lost or damaged due to component breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide advanced support to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to provide centralized control and comprehensive protection for your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, track, reconfigure and debug their networking hardware like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding devices that need critical software patches, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT personnel and your assigned Progent engineering consultant so any potential issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about ProSight IT Asset Management service.
For Scottsdale 24-Hour Ransomware Repair Help, reach out to Progent at 800-993-9400 or go to Contact Progent.