Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses poorly prepared for an assault. Different iterations of crypto-ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with additional as yet unnamed newcomers, not only do encryption of on-line data files but also infect all configured system backups. Information synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can render automatic restore operations hopeless and basically sets the datacenter back to square one.

Restoring applications and information following a ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop lateral movement and clear the virus and to resume mission-critical activity. Since ransomware takes time to spread, attacks are often sprung during weekends and nights, when attacks may take longer to detect. This multiplies the difficulty of rapidly assembling and organizing a qualified response team.

Progent offers a variety of services for securing enterprises from ransomware penetrations. These include team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with AI technology to rapidly discover and disable new threats. Progent also can provide the assistance of seasoned ransomware recovery engineers with the track record and commitment to re-deploy a compromised network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware event, sending the ransom in cryptocurrency does not ensure that merciless criminals will provide the needed codes to unencrypt any or all of your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the mission-critical parts of your IT environment. Absent access to essential data backups, this requires a wide complement of IT skills, professional team management, and the ability to work non-stop until the task is completed.

For two decades, Progent has offered professional IT services for businesses in Sandy Springs and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to knowledgably ascertain necessary systems and re-organize the remaining components of your Information Technology system after a ransomware event and configure them into a functioning network.

Progent's ransomware team of experts deploys best of breed project management applications to orchestrate the complex recovery process. Progent appreciates the urgency of acting quickly and in concert with a customerís management and Information Technology resources to prioritize tasks and to get key systems back online as soon as possible.

Client Case Study: A Successful Ransomware Penetration Response
A client engaged Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored cybercriminals, suspected of adopting approaches leaked from the United States National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is among the most profitable versions of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago with about 500 workers. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's backups had been on-line at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end brought in Progent.


"I canít say enough in regards to the support Progent provided us throughout the most stressful time of (our) companyís survival. We would have paid the criminal gangs if not for the confidence the Progent experts provided us. That you were able to get our e-mail and critical applications back online quicker than one week was incredible. Each staff member I got help from or communicated with at Progent was laser focused on getting us back online and was working 24/7 to bail us out."

Progent worked together with the client to quickly get our arms around and prioritize the most important systems that had to be recovered in order to continue company functions:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To start, Progent adhered to ransomware penetration mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the task of bringing back online Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange email will not operate without AD, and the businessesí MRP system utilized Microsoft SQL, which needs Active Directory for security authorization to the data.

In less than 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with setup and storage recovery on key systems. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on team PCs to recover mail messages. A not too old off-line backup of the customerís manufacturing software made it possible to recover these essential services back available to users. Although major work was left to recover completely from the Ryuk damage, essential systems were restored quickly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."

During the following month important milestones in the recovery process were accomplished through close cooperation between Progent engineers and the client:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent operational.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the user desktops were being used by staff.

"A lot of what was accomplished during the initial response is nearly entirely a fog for me, but I will not forget the countless hours each of the team put in to give us our business back. I have been working together with Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business-ending disaster was avoided through the efforts of top-tier professionals, a wide array of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here could have been shut down with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and properly executed incident response procedures for data backup and applying software patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), Iím grateful for allowing me to get some sleep after we got over the first week. All of you did an amazing job, and if any of your team is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Sandy Springs a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation AI capability to uncover new strains of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack progression including blocking, identification, containment, cleanup, and forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization experts can help you to design and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent's consultants can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. Available at a low monthly price, ProSight DPS automates and monitors your backup processes and enables rapid recovery of vital data, applications and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can assist you to recover your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to deliver web-based management and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, optimize and debug their networking appliances such as routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept updated, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating complex network management activities, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating appliances that need important updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system operating at peak levels by tracking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management personnel and your Progent consultant so all looming issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Sandy Springs CryptoLocker Cleanup Consulting, contact Progent at 800-993-9400 or go to Contact Progent.