Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that represents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still cause harm. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as daily unnamed malware, not only do encryption of on-line critical data but also infect many accessible system protection mechanisms. Information synched to cloud environments can also be ransomed. In a vulnerable data protection solution, this can render any restoration hopeless and effectively knocks the datacenter back to square one.

Getting back online programs and data after a ransomware intrusion becomes a sprint against the clock as the targeted business struggles to contain the damage and remove the crypto-ransomware and to resume enterprise-critical operations. Since ransomware needs time to move laterally, attacks are frequently launched during weekends and nights, when penetrations may take more time to uncover. This compounds the difficulty of quickly mobilizing and coordinating a capable response team.

Progent provides a range of support services for protecting organizations from ransomware events. Among these are user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with AI technology to rapidly detect and quarantine day-zero cyber attacks. Progent also can provide the services of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the needed codes to unencrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the vital parts of your Information Technology environment. Absent the availability of full system backups, this calls for a broad complement of skills, top notch project management, and the ability to work 24x7 until the recovery project is done.

For twenty years, Progent has provided professional IT services for companies in Savannah and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise affords Progent the capability to efficiently determine necessary systems and integrate the remaining parts of your network environment after a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts deploys state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get key services back on-line as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A client hired Progent after their network was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored cybercriminals, suspected of using technology leaked from the United States National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most lucrative instances of ransomware malware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area with around 500 employees. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.


"I canít tell you enough about the support Progent gave us during the most critical period of (our) businesses life. We would have paid the cyber criminals if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and key applications back on-line quicker than 1 week was amazing. Every single expert I spoke to or e-mailed at Progent was totally committed on getting us operational and was working all day and night to bail us out."

Progent worked with the client to rapidly get our arms around and assign priority to the mission critical elements that had to be restored in order to continue departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent followed ransomware penetration mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then initiated the task of recovering Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the customerís financials and MRP system utilized Microsoft SQL Server, which depends on Active Directory for security authorization to the database.

In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery of essential systems. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was able to collect local OST files (Outlook Email Offline Folder Files) on staff PCs in order to recover email data. A recent offline backup of the businesses accounting/MRP systems made it possible to recover these required programs back servicing users. Although a lot of work remained to recover completely from the Ryuk damage, core systems were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer deliverables."

Over the next couple of weeks important milestones in the restoration process were accomplished through close cooperation between Progent team members and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • 90% of the user PCs were operational.

"A lot of what occurred in the early hours is mostly a haze for me, but my team will not forget the urgency each of your team accomplished to help get our company back. Iíve trusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A possible business catastrophe was evaded with hard-working experts, a broad range of subject matter expertise, and close collaboration. Although in retrospect the ransomware attack detailed here would have been stopped with modern security solutions and best practices, staff education, and well thought out incident response procedures for information protection and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for allowing me to get rested after we made it over the first week. Everyone did an incredible job, and if any of your team is in the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Savannah a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation AI capability to uncover zero-day variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to address the complete threat lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also help your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of critical files, applications and VMs that have become unavailable or corrupted as a result of component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can provide world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can assist you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to provide centralized control and world-class security for your inbound and outbound email. The powerful structure of Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a preliminary barricade and blocks most threats from reaching your network firewall. This reduces your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating appliances that require important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so any looming issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7/365 Savannah Crypto Repair Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.