Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyberplague that presents an extinction-level threat for businesses vulnerable to an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with additional as yet unnamed newcomers, not only encrypt online data but also infect any available system backup. Data synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, this can make any restore operations useless and effectively sets the datacenter back to zero.

Retrieving programs and data after a ransomware attack becomes a sprint against time as the victim struggles to contain the damage and cleanup the ransomware and to resume business-critical activity. Because crypto-ransomware takes time to move laterally, attacks are often launched during nights and weekends, when penetrations are likely to take longer to discover. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified response team.

Progent makes available an assortment of solutions for securing organizations from ransomware attacks. Among these are team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security solutions with AI technology to intelligently detect and extinguish day-zero threats. Progent also can provide the assistance of seasoned ransomware recovery professionals with the talent and commitment to restore a compromised system as rapidly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decipher all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to re-install the mission-critical components of your IT environment. Without the availability of complete data backups, this requires a wide complement of skills, professional team management, and the willingness to work non-stop until the recovery project is over.

For two decades, Progent has provided professional Information Technology services for companies in Milwaukee and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly identify important systems and consolidate the surviving pieces of your network environment following a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts deploys powerful project management systems to coordinate the complex restoration process. Progent understands the importance of acting rapidly and together with a client's management and IT team members to prioritize tasks and to put essential applications back online as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Restoration
A customer engaged Progent after their company was taken over by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state criminal gangs, suspected of adopting algorithms exposed from Americaís NSA organization. Ryuk goes after specific companies with limited tolerance for disruption and is one of the most lucrative examples of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and praying for the best, but in the end reached out to Progent.


"I canít speak enough in regards to the support Progent provided us during the most stressful period of (our) companyís survival. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent team provided us. That you could get our messaging and critical applications back faster than five days was amazing. Each expert I worked with or texted at Progent was urgently focused on getting our company operational and was working day and night to bail us out."

Progent worked together with the customer to rapidly determine and assign priority to the critical areas that had to be addressed in order to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To begin, Progent adhered to ransomware penetration response industry best practices by isolating and cleaning systems of viruses. Progent then started the task of bringing back online Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not work without Active Directory, and the customerís MRP applications used Microsoft SQL, which requires Windows AD for security authorization to the databases.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery on needed servers. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate local OST files (Outlook Off-Line Data Files) on team desktop computers and laptops to recover email data. A not too old off-line backup of the client's accounting/ERP software made them able to recover these essential programs back online for users. Although major work still had to be done to recover fully from the Ryuk event, essential services were recovered quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer sales."

Throughout the following month key milestones in the recovery process were accomplished in close collaboration between Progent consultants and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user desktops and notebooks were functioning as before the incident.

"A lot of what transpired during the initial response is mostly a fog for me, but we will not forget the dedication each and every one of the team put in to give us our business back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A likely business-ending catastrophe was averted due to top-tier professionals, a broad array of knowledge, and close collaboration. Although upon completion of forensics the ransomware virus incident described here could have been disabled with modern cyber security systems and recognized best practices, team training, and well thought out incident response procedures for information protection and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we got through the initial push. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Milwaukee a range of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to detect zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the complete malware attack progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent can also help you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and allows fast restoration of vital files, applications and virtual machines that have become lost or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR specialists can provide world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when necessary, can assist you to recover your critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to deliver centralized management and world-class protection for all your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, reconfigure and debug their networking appliances like switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating complex management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, locating devices that require critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your assigned Progent consultant so any potential issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 Milwaukee Ransomware Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.