Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for years and continue to cause damage. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as daily unnamed newcomers, not only encrypt on-line data files but also infiltrate all configured system backups. Files replicated to cloud environments can also be rendered useless. In a poorly designed data protection solution, this can render any recovery impossible and basically sets the entire system back to zero.

Retrieving services and information after a ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and remove the virus and to restore mission-critical operations. Because crypto-ransomware takes time to spread, attacks are frequently sprung on weekends, when successful attacks are likely to take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing a capable mitigation team.

Progent provides a variety of help services for protecting businesses from ransomware events. These include team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with AI technology to intelligently identify and quarantine day-zero threats. Progent also offers the assistance of expert ransomware recovery professionals with the track record and commitment to rebuild a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not guarantee that criminal gangs will return the needed codes to decrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the mission-critical elements of your Information Technology environment. Without the availability of full data backups, this requires a wide range of skill sets, professional team management, and the capability to work continuously until the recovery project is done.

For two decades, Progent has offered expert Information Technology services for companies in Centennial and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of experience gives Progent the skills to efficiently determine important systems and re-organize the remaining parts of your IT environment following a crypto-ransomware event and rebuild them into a functioning network.

Progent's ransomware team of experts utilizes top notch project management applications to coordinate the complex recovery process. Progent understands the importance of working quickly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put critical systems back on-line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Virus Response
A client hired Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state hackers, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with limited tolerance for disruption and is one of the most lucrative instances of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago with about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end reached out to Progent.


"I cannot speak enough about the expertise Progent provided us throughout the most stressful time of (our) businesses existence. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent group afforded us. The fact that you could get our e-mail and essential applications back online in less than 1 week was incredible. Every single expert I worked with or messaged at Progent was absolutely committed on getting us back on-line and was working non-stop on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the critical services that had to be addressed in order to continue company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes event response best practices by isolating and disinfecting systems. Progent then began the task of bringing back online Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the customerís MRP applications used Microsoft SQL, which needs Active Directory for access to the information.

Within 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then completed setup and storage recovery of key applications. All Exchange ties and attributes were usable, which accelerated the restore of Exchange. Progent was able to find intact OST files (Microsoft Outlook Off-Line Data Files) on various desktop computers and laptops in order to recover email messages. A recent off-line backup of the customerís accounting systems made them able to return these essential services back available to users. Although major work was left to recover totally from the Ryuk damage, the most important systems were restored rapidly:


"For the most part, the production line operation never missed a beat and we made all customer sales."

During the following month critical milestones in the recovery process were accomplished through tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory functions were 100 percent recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user desktops and notebooks were being used by staff.

"A lot of what was accomplished in the initial days is mostly a fog for me, but my team will not forget the urgency all of the team accomplished to give us our business back. I have been working together with Progent for the past 10 years, maybe more, and every time Progent has come through and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A likely business extinction disaster was avoided through the efforts of top-tier professionals, a broad range of technical expertise, and tight teamwork. Although in post mortem the ransomware virus incident detailed here could have been stopped with advanced security technology and NIST Cybersecurity Framework best practices, staff education, and well thought out incident response procedures for information backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get some sleep after we made it over the most critical parts. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Centennial a variety of online monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services include next-generation AI capability to detect new variants of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete threat lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your company's unique requirements and that helps you prove compliance with legal and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent can also help you to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of vital files, applications and VMs that have become unavailable or damaged as a result of hardware failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security vendors to deliver centralized management and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to external threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a further level of inspection for incoming email. For outgoing email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map out, track, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, locating devices that need critical software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the health of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT staff and your assigned Progent consultant so any looming problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Centennial Crypto Removal Consultants, call Progent at 800-993-9400 or go to Contact Progent.