Ransomware : Your Feared IT Catastrophe
Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that poses an enterprise-level threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict harm. The latest strains of crypto-ransomware like Ryuk and Hermes, as well as frequent unnamed malware, not only encrypt on-line files but also infect all available system protection mechanisms. Files synchronized to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can make automatic restoration hopeless and basically knocks the network back to zero.

Getting back applications and data after a ransomware outage becomes a sprint against time as the targeted organization struggles to contain and cleanup the ransomware and to restore business-critical operations. Since ransomware requires time to spread, assaults are often sprung on weekends and holidays, when attacks in many cases take more time to recognize. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable response team.

Progent has an assortment of solutions for protecting enterprises from ransomware attacks. These include team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with machine learning technology to rapidly discover and extinguish day-zero threats. Progent also offers the services of seasoned crypto-ransomware recovery professionals with the skills and commitment to restore a breached environment as soon as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the codes to decipher all your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to setup from scratch the mission-critical parts of your Information Technology environment. Without access to full system backups, this calls for a broad range of skills, top notch project management, and the willingness to work continuously until the task is complete.

For two decades, Progent has provided expert Information Technology services for businesses in Chandler and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise affords Progent the skills to rapidly determine critical systems and re-organize the surviving components of your IT environment following a ransomware attack and assemble them into a functioning network.

Progent's security team uses best of breed project management applications to coordinate the complex restoration process. Progent knows the importance of working rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to put critical applications back on-line as soon as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Recovery
A business escalated to Progent after their company was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting approaches leaked from Americaís National Security Agency. Ryuk targets specific organizations with little or no ability to sustain operational disruption and is one of the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago and has about 500 workers. The Ryuk attack had brought down all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I canít thank you enough about the support Progent gave us throughout the most critical period of (our) companyís existence. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent team afforded us. The fact that you could get our e-mail system and production servers back online quicker than one week was amazing. Each expert I interacted with or messaged at Progent was amazingly focused on getting us restored and was working non-stop on our behalf."

Progent worked hand in hand the customer to quickly identify and assign priority to the key services that needed to be addressed to make it possible to continue departmental operations:

  • Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To get going, Progent followed AV/Malware Processes event response industry best practices by halting the spread and clearing infected systems. Progent then started the steps of rebuilding Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the businessesí MRP system leveraged SQL Server, which depends on Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery on critical applications. All Microsoft Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs in order to recover mail messages. A recent off-line backup of the customerís manufacturing systems made them able to restore these essential programs back available to users. Although a lot of work was left to recover completely from the Ryuk virus, critical services were restored rapidly:


"For the most part, the manufacturing operation never missed a beat and we made all customer shipments."

During the next few weeks key milestones in the recovery process were accomplished in close collaboration between Progent consultants and the client:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Exchange Server containing more than four million archived emails was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Most of the user desktops and notebooks were functioning as before the incident.

"So much of what was accomplished those first few days is nearly entirely a haze for me, but we will not soon forget the dedication all of you put in to help get our business back. Iíve trusted Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This situation was a life saver."

Conclusion
A possible business disaster was averted through the efforts of results-oriented professionals, a wide array of technical expertise, and close collaboration. Although in hindsight the crypto-ransomware virus penetration detailed here could have been identified and disabled with modern cyber security technology solutions and best practices, user training, and appropriate incident response procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we made it through the first week. All of you did an amazing job, and if anyone is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Chandler a variety of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to detect new variants of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to automate the entire malware attack lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering via cutting-edge tools incorporated within a single agent accessible from a single control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates your backup activities and allows fast restoration of vital files, applications and virtual machines that have become unavailable or damaged due to hardware breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR specialists can deliver advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to deliver centralized management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, enhance and debug their networking hardware like switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating appliances that need critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT personnel and your Progent consultant so any looming issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time thrown away looking for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about ProSight IT Asset Management service.
For Chandler 24-7 Crypto-Ransomware Recovery Services, contact Progent at 800-993-9400 or go to Contact Progent.