Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that poses an existential danger for businesses poorly prepared for an assault. Versions of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict harm. Recent strains of ransomware like Ryuk and Hermes, as well as daily as yet unnamed viruses, not only encrypt online files but also infiltrate many configured system protection mechanisms. Information synchronized to the cloud can also be rendered useless. In a vulnerable environment, this can render automatic restoration impossible and basically sets the network back to square one.

Restoring applications and information following a ransomware intrusion becomes a race against the clock as the targeted organization struggles to contain and eradicate the ransomware and to restore enterprise-critical operations. Since crypto-ransomware needs time to move laterally, penetrations are usually sprung at night, when attacks in many cases take longer to uncover. This multiplies the difficulty of promptly marshalling and organizing a capable mitigation team.

Progent provides a range of support services for protecting businesses from crypto-ransomware events. Among these are staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with artificial intelligence technology to automatically detect and suppress zero-day threats. Progent also provides the services of seasoned ransomware recovery engineers with the skills and commitment to reconstruct a compromised network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that distant criminals will provide the keys to decipher all your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the vital parts of your Information Technology environment. Absent the availability of full data backups, this requires a broad complement of IT skills, top notch project management, and the willingness to work non-stop until the job is over.

For decades, Progent has offered certified expert Information Technology services for businesses in Walnut Creek and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise provides Progent the ability to efficiently ascertain critical systems and consolidate the remaining pieces of your IT environment after a crypto-ransomware event and configure them into a functioning system.

Progent's recovery team of experts uses best of breed project management applications to orchestrate the sophisticated recovery process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to put essential applications back on-line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Attack Recovery
A client hired Progent after their organization was brought down by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state hackers, possibly using technology exposed from the U.S. NSA organization. Ryuk goes after specific organizations with limited tolerance for disruption and is among the most lucrative incarnations of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has around 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200K) and hoping for the best, but in the end utilized Progent.


"I cannot thank you enough about the care Progent provided us during the most critical time of (our) companyís life. We may have had to pay the Hackers if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and important applications back into operation sooner than seven days was earth shattering. Every single staff member I worked with or e-mailed at Progent was hell bent on getting our system up and was working day and night to bail us out."

Progent worked with the customer to quickly understand and assign priority to the most important elements that needed to be addressed in order to restart business operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To begin, Progent adhered to Anti-virus event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then began the steps of restoring Active Directory, the key technology of enterprise systems built upon Microsoft technology. Exchange messaging will not function without Windows AD, and the businessesí MRP applications used Microsoft SQL Server, which requires Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with rebuilding and storage recovery of mission critical applications. All Microsoft Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on user PCs to recover mail data. A recent offline backup of the client's financials/ERP software made it possible to recover these required programs back servicing users. Although a lot of work remained to recover completely from the Ryuk damage, the most important services were restored rapidly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer deliverables."

Over the next month critical milestones in the restoration project were achieved in tight cooperation between Progent team members and the client:

  • Internal web applications were restored without losing any information.
  • The MailStore Server exceeding 4 million archived emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was installed.
  • Nearly all of the user desktops and notebooks were being used by staff.

"A huge amount of what went on in the initial days is mostly a fog for me, but my management will not soon forget the commitment each of the team put in to give us our business back. I have entrusted Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was a Herculean accomplishment."

Conclusion
A potential business-killing disaster was evaded by results-oriented professionals, a wide range of knowledge, and close collaboration. Although in post mortem the ransomware virus incident described here could have been identified and prevented with modern cyber security technology solutions and NIST Cybersecurity Framework best practices, team education, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for making it so I could get some sleep after we got past the most critical parts. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Walnut Creek a portfolio of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning technology to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. ProSight ASM protects local and cloud resources and offers a unified platform to automate the complete malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your company's unique needs and that allows you prove compliance with government and industry data security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also help you to install and test a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of critical files, apps and VMs that have become lost or damaged due to hardware failures, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPPA, FINRA, and PCI and, whenever needed, can assist you to restore your critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of inspection for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and troubleshoot their connectivity hardware like switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept current, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that require critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT staff and your assigned Progent engineering consultant so that any potential problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Walnut Creek 24-Hour Crypto-Ransomware Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.