Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses poorly prepared for an attack. Different iterations of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause harm. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus frequent unnamed malware, not only do encryption of online data but also infect many available system backup. Data synched to cloud environments can also be corrupted. In a vulnerable data protection solution, it can render automatic restore operations hopeless and effectively sets the network back to zero.

Getting back programs and information after a ransomware intrusion becomes a sprint against time as the targeted organization tries its best to stop the spread and eradicate the ransomware and to restore business-critical activity. Due to the fact that ransomware requires time to replicate, attacks are often sprung on weekends and holidays, when successful penetrations tend to take longer to discover. This multiplies the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent has a range of services for protecting businesses from ransomware penetrations. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security appliances with artificial intelligence capabilities to rapidly discover and suppress new cyber attacks. Progent also can provide the services of experienced crypto-ransomware recovery consultants with the skills and perseverance to rebuild a breached environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the needed keys to decipher any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the key components of your IT environment. Absent access to complete data backups, this calls for a broad range of skill sets, well-coordinated team management, and the capability to work non-stop until the recovery project is finished.

For two decades, Progent has offered professional Information Technology services for businesses in Winston-Salem and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the skills to efficiently ascertain necessary systems and organize the remaining parts of your computer network environment after a crypto-ransomware attack and rebuild them into an operational system.

Progent's recovery team utilizes top notch project management systems to coordinate the sophisticated restoration process. Progent knows the importance of working swiftly and in unison with a customerís management and IT resources to prioritize tasks and to put the most important systems back on-line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Incident Response
A customer engaged Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean government sponsored cybercriminals, possibly using algorithms leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little or no room for disruption and is one of the most profitable incarnations of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has about 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot say enough about the care Progent gave us throughout the most stressful time of (our) companyís existence. We would have paid the cyber criminals behind the attack if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail and production servers back online in less than 1 week was something I thought impossible. Each expert I interacted with or communicated with at Progent was laser focused on getting our system up and was working day and night on our behalf."

Progent worked with the customer to quickly identify and assign priority to the key systems that needed to be recovered in order to continue departmental functions:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by isolating and clearing infected systems. Progent then began the task of rebuilding Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the businessesí accounting and MRP system used SQL Server, which needs Active Directory services for access to the information.

In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then performed setup and hard drive recovery of essential systems. All Exchange ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on team PCs and laptops in order to recover mail information. A recent offline backup of the client's accounting/ERP software made them able to return these vital programs back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk virus, core services were returned to operations quickly:


"For the most part, the manufacturing operation showed little impact and we produced all customer shipments."

Over the next couple of weeks important milestones in the restoration process were completed through tight cooperation between Progent engineers and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent recovered.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the user PCs were functioning as before the incident.

"A lot of what went on those first few days is mostly a fog for me, but my management will not soon forget the countless hours each and every one of you accomplished to help get our company back. Iíve entrusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A possible enterprise-killing catastrophe was evaded through the efforts of dedicated professionals, a broad range of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus attack described here should have been identified and stopped with up-to-date security systems and NIST Cybersecurity Framework best practices, team education, and well thought out security procedures for information protection and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we made it through the most critical parts. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Winston-Salem a variety of remote monitoring and security assessment services designed to assist you to minimize the threat from crypto-ransomware. These services utilize modern machine learning technology to detect zero-day variants of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the complete threat progression including blocking, detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services offer economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering via leading-edge tools incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also assist you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of vital files, applications and virtual machines that have become lost or corrupted due to component breakdowns, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can provide world-class expertise to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, when necessary, can help you to recover your business-critical data. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of inspection for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating tedious management activities, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding devices that need important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network running at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that any potential problems can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Winston-Salem 24/7/365 Crypto Repair Support Services, contact Progent at 800-993-9400 or go to Contact Progent.