Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that poses an enterprise-level threat for organizations vulnerable to an assault. Different versions of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict destruction. Newer versions of ransomware like Ryuk and Hermes, along with additional unnamed viruses, not only do encryption of online data files but also infiltrate many available system backup. Data synched to cloud environments can also be ransomed. In a poorly architected system, it can render any recovery hopeless and basically knocks the network back to zero.

Getting back online services and data following a crypto-ransomware event becomes a race against time as the targeted organization fights to contain and remove the ransomware and to restore enterprise-critical activity. Because crypto-ransomware requires time to spread, penetrations are usually launched at night, when attacks may take more time to identify. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.

Progent provides a range of services for protecting enterprises from ransomware attacks. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities to rapidly detect and suppress new cyber threats. Progent in addition provides the services of experienced ransomware recovery professionals with the talent and commitment to re-deploy a compromised system as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decipher any of your information. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the mission-critical elements of your IT environment. Absent the availability of full data backups, this calls for a wide complement of skill sets, well-coordinated team management, and the ability to work 24x7 until the job is complete.

For twenty years, Progent has made available certified expert IT services for businesses in Sandy Springs and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise affords Progent the capability to rapidly understand important systems and organize the surviving pieces of your IT system following a ransomware attack and assemble them into an operational network.

Progent's ransomware team deploys powerful project management applications to coordinate the sophisticated restoration process. Progent knows the importance of acting swiftly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put critical services back on-line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Virus Response
A small business escalated to Progent after their company was crashed by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, suspected of using technology exposed from the U.S. NSA organization. Ryuk targets specific organizations with limited room for disruption and is one of the most profitable versions of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago with about 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom (more than $200K) and praying for good luck, but in the end made the decision to use Progent.


"I cannot tell you enough in regards to the support Progent provided us throughout the most critical time of (our) businesses life. We most likely would have paid the cybercriminals if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail and critical applications back quicker than one week was incredible. Each consultant I talked with or e-mailed at Progent was laser focused on getting us back online and was working 24 by 7 on our behalf."

Progent worked with the client to rapidly understand and prioritize the most important services that needed to be recovered in order to resume departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent adhered to ransomware incident mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then started the work of rebuilding Microsoft Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the businessesí financials and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for authentication to the database.

Within two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Offline Data Files) on team desktop computers to recover email data. A recent off-line backup of the customerís financials/MRP systems made it possible to return these essential services back on-line. Although a lot of work remained to recover totally from the Ryuk virus, core services were returned to operations quickly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer deliverables."

Over the next month critical milestones in the recovery process were made in close cooperation between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100% operational.
  • A new Palo Alto 850 security appliance was installed.
  • Ninety percent of the desktop computers were fully operational.

"Much of what was accomplished those first few days is nearly entirely a haze for me, but I will not forget the countless hours each and every one of the team put in to help get our business back. I have been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This time was the most impressive ever."

Conclusion
A potential enterprise-killing catastrophe was dodged by dedicated professionals, a broad range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware attack described here should have been identified and blocked with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed incident response procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for letting me get rested after we made it over the most critical parts. Everyone did an incredible effort, and if any of your guys is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Sandy Springs a variety of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation AI technology to uncover new variants of crypto-ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to automate the complete malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that allows you demonstrate compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate action. Progent can also assist you to install and test a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates your backup processes and enables fast recovery of critical files, apps and VMs that have become lost or corrupted due to component breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to deliver centralized management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of inspection for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, track, enhance and debug their networking appliances such as switches, firewalls, and access points as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding devices that need critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network operating efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT personnel and your Progent consultant so that any looming problems can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Sandy Springs Ransomware Remediation Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.