Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyber pandemic that presents an extinction-level threat for businesses of all sizes unprepared for an assault. Different versions of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to inflict havoc. More recent variants of ransomware like Ryuk and Hermes, along with frequent unnamed viruses, not only encrypt online files but also infiltrate any available system restores and backups. Files synched to the cloud can also be encrypted. In a vulnerable data protection solution, this can make automatic restoration impossible and effectively sets the datacenter back to zero.

Restoring applications and data after a crypto-ransomware outage becomes a race against the clock as the targeted organization struggles to contain the damage and eradicate the ransomware and to resume mission-critical operations. Since ransomware requires time to spread, assaults are often sprung during weekends and nights, when attacks in many cases take longer to uncover. This compounds the difficulty of quickly assembling and organizing a capable mitigation team.

Progent offers a range of solutions for protecting organizations from crypto-ransomware attacks. Among these are team education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with artificial intelligence technology to rapidly identify and extinguish day-zero threats. Progent also can provide the assistance of seasoned ransomware recovery consultants with the talent and perseverance to restore a breached network as soon as possible.

Progent's Ransomware Recovery Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the keys to decrypt any of your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the key elements of your Information Technology environment. Without the availability of full system backups, this calls for a wide complement of IT skills, professional team management, and the willingness to work continuously until the recovery project is done.

For two decades, Progent has provided professional IT services for companies in Reston and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of experience affords Progent the skills to efficiently ascertain important systems and organize the remaining pieces of your IT environment following a ransomware penetration and rebuild them into an operational network.

Progent's recovery team of experts utilizes powerful project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put critical systems back online as fast as humanly possible.

Case Study: A Successful Ransomware Intrusion Recovery
A small business sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored hackers, suspected of adopting techniques leaked from the United States NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is one of the most lucrative versions of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (in excess of $200K) and hoping for good luck, but ultimately engaged Progent.


"I cannot speak enough in regards to the help Progent provided us throughout the most stressful time of (our) companyís life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group provided us. The fact that you were able to get our messaging and key servers back in less than seven days was something I thought impossible. Every single consultant I got help from or e-mailed at Progent was amazingly focused on getting our system up and was working breakneck pace to bail us out."

Progent worked with the client to quickly identify and prioritize the critical areas that needed to be addressed in order to restart business functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus event response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the task of restoring Windows Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businessesí accounting and MRP software used Microsoft SQL Server, which needs Active Directory services for authentication to the data.

Within two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then accomplished setup and hard drive recovery on the most important servers. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find intact OST files (Outlook Off-Line Folder Files) on staff desktop computers in order to recover mail data. A not too old offline backup of the client's accounting/MRP systems made them able to restore these required services back servicing users. Although major work needed to be completed to recover fully from the Ryuk event, essential systems were recovered rapidly:


"For the most part, the assembly line operation showed little impact and we made all customer deliverables."

Throughout the following month critical milestones in the recovery process were made through tight cooperation between Progent consultants and the client:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Server containing more than four million archived messages was spun up and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user desktops and notebooks were back into operation.

"So much of what transpired in the early hours is mostly a blur for me, but our team will not forget the countless hours each and every one of the team put in to help get our company back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely business-ending catastrophe was avoided through the efforts of top-tier experts, a wide spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus penetration described here should have been disabled with up-to-date cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for making it so I could get some sleep after we got over the most critical parts. All of you did an amazing effort, and if anyone is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Reston a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day variants of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to automate the complete malware attack progression including protection, detection, mitigation, remediation, and forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP environment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also help you to install and verify a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid recovery of vital files, applications and VMs that have become lost or damaged due to hardware failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and keeps most threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further level of analysis for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, optimize and troubleshoot their networking appliances like switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating complex management processes, WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that require important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent consultant so that all looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Read more about ProSight IT Asset Management service.
For Reston 24-7 Crypto Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.