Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for organizations vulnerable to an assault. Versions of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict havoc. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, plus more as yet unnamed viruses, not only do encryption of on-line data files but also infect most available system backups. Files replicated to cloud environments can also be encrypted. In a vulnerable data protection solution, this can make automatic restoration useless and effectively sets the datacenter back to zero.

Recovering services and information following a ransomware intrusion becomes a race against time as the victim struggles to contain the damage and cleanup the virus and to restore business-critical operations. Due to the fact that crypto-ransomware requires time to move laterally, penetrations are usually sprung on weekends and holidays, when successful penetrations typically take more time to uncover. This compounds the difficulty of rapidly mobilizing and organizing an experienced response team.

Progent provides a range of services for securing organizations from crypto-ransomware attacks. These include team member education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning technology to automatically detect and suppress new cyber threats. Progent in addition offers the services of veteran ransomware recovery consultants with the talent and commitment to rebuild a compromised network as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will return the needed codes to unencrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the mission-critical components of your Information Technology environment. Absent access to essential data backups, this calls for a wide complement of skills, top notch project management, and the capability to work non-stop until the job is complete.

For twenty years, Progent has made available professional Information Technology services for businesses in Portland and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the skills to quickly identify necessary systems and integrate the remaining pieces of your computer network environment after a ransomware event and rebuild them into an operational system.

Progent's recovery team of experts deploys state-of-the-art project management tools to orchestrate the complicated restoration process. Progent knows the urgency of acting rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to get the most important systems back on line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Attack Restoration
A customer escalated to Progent after their organization was attacked by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, suspected of adopting strategies exposed from the U.S. NSA organization. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most profitable iterations of ransomware malware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has around 500 workers. The Ryuk intrusion had brought down all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the intrusion and were encrypted. The client was evaluating paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I can’t tell you enough about the support Progent provided us during the most fearful period of (our) businesses life. We may have had to pay the criminal gangs if it wasn’t for the confidence the Progent team gave us. That you were able to get our messaging and essential servers back on-line quicker than five days was incredible. Every single expert I spoke to or texted at Progent was totally committed on getting us back online and was working all day and night to bail us out."

Progent worked hand in hand the customer to rapidly determine and prioritize the key elements that had to be restored to make it possible to restart company operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to ransomware event response industry best practices by stopping lateral movement and disinfecting systems. Progent then began the steps of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the client's accounting and MRP system used Microsoft SQL, which needs Active Directory for authentication to the databases.

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then initiated setup and hard drive recovery on mission critical servers. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Email Offline Folder Files) on user desktop computers to recover mail messages. A not too old off-line backup of the client's financials/MRP software made it possible to restore these required applications back online. Although a lot of work needed to be completed to recover fully from the Ryuk event, essential services were recovered rapidly:


"For the most part, the production manufacturing operation was never shut down and we made all customer deliverables."

During the next month critical milestones in the recovery project were achieved through tight cooperation between Progent engineers and the client:

  • In-house web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory functions were fully restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the user PCs were fully operational.

"A huge amount of what happened those first few days is nearly entirely a fog for me, but my team will not soon forget the countless hours each and every one of you put in to give us our company back. I have been working with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was a life saver."

Conclusion
A probable business extinction disaster was averted with results-oriented experts, a wide array of IT skills, and tight collaboration. Although in hindsight the ransomware attack detailed here could have been shut down with advanced cyber security solutions and ISO/IEC 27001 best practices, user training, and properly executed security procedures for data backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for making it so I could get rested after we made it over the first week. Everyone did an amazing job, and if anyone is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Portland a portfolio of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate modern machine learning technology to detect new strains of crypto-ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-based anti-virus products. ProSight ASM protects local and cloud resources and provides a single platform to manage the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate attention. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical data, applications and virtual machines that have become lost or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR specialists can deliver world-class expertise to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to deliver web-based control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, monitor, optimize and debug their networking appliances such as switches, firewalls, and access points plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when issues are discovered. By automating time-consuming management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, finding devices that require important updates, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by tracking the state of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so all looming problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you’re making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Portland 24/7 Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.