Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for many years and still cause havoc. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as frequent as yet unnamed viruses, not only do encryption of online data files but also infiltrate all accessible system backup. Files replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable system, this can make any restore operations hopeless and basically sets the entire system back to square one.

Getting back online programs and information following a ransomware outage becomes a race against the clock as the victim struggles to contain and clear the crypto-ransomware and to resume mission-critical activity. Since crypto-ransomware needs time to replicate, attacks are usually launched at night, when successful penetrations may take longer to identify. This compounds the difficulty of quickly assembling and organizing an experienced mitigation team.

Progent makes available an assortment of services for securing enterprises from crypto-ransomware attacks. These include staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI technology to intelligently detect and quarantine zero-day cyber attacks. Progent also offers the services of seasoned ransomware recovery consultants with the talent and commitment to rebuild a breached system as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed codes to decrypt any of your files. Kaspersky estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the vital components of your IT environment. Without access to complete information backups, this requires a broad range of skills, professional team management, and the willingness to work continuously until the job is over.

For twenty years, Progent has provided expert Information Technology services for companies in Addison and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience affords Progent the ability to knowledgably identify critical systems and re-organize the surviving parts of your computer network system following a crypto-ransomware attack and assemble them into a functioning system.

Progent's security group uses best of breed project management systems to coordinate the complex restoration process. Progent understands the urgency of working rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to put the most important applications back on-line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A client hired Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored cybercriminals, possibly using techniques exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with little or no ability to sustain operational disruption and is among the most lucrative instances of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been online at the start of the attack and were encrypted. The client considered paying the ransom (exceeding $200,000) and praying for good luck, but in the end made the decision to use Progent.


"I canít say enough in regards to the care Progent provided us during the most critical period of (our) businesses life. We most likely would have paid the Hackers if not for the confidence the Progent group provided us. That you could get our e-mail and essential servers back on-line quicker than seven days was incredible. Every single staff member I got help from or messaged at Progent was laser focused on getting us back online and was working day and night on our behalf."

Progent worked hand in hand the client to quickly get our arms around and assign priority to the key areas that needed to be recovered to make it possible to continue company operations:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed ransomware event response best practices by isolating and clearing infected systems. Progent then initiated the process of rebuilding Windows Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without Active Directory, and the businessesí MRP software leveraged Microsoft SQL Server, which requires Active Directory services for access to the database.

Within 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of key servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on team PCs and laptops in order to recover mail data. A recent offline backup of the client's financials/MRP systems made it possible to recover these required services back online for users. Although a large amount of work remained to recover completely from the Ryuk event, essential systems were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer orders."

Throughout the following few weeks key milestones in the restoration project were accomplished in close cooperation between Progent consultants and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server exceeding four million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user workstations were being used by staff.

"A lot of what happened during the initial response is nearly entirely a haze for me, but we will not forget the urgency each and every one of the team put in to help get our business back. Iíve utilized Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A probable business catastrophe was dodged through the efforts of top-tier experts, a broad range of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus incident described here should have been stopped with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for backup and proper patching controls, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thank you for letting me get rested after we made it over the initial fire. All of you did an incredible effort, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Addison a portfolio of online monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize next-generation AI capability to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including protection, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you prove compliance with government and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services, a portfolio of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and enable non-disruptive backup and fast restoration of critical files/folders, apps, system images, plus virtual machines. ProSight DPS lets your business protect against data loss caused by equipment failures, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to deliver web-based management and comprehensive security for your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, track, optimize and troubleshoot their networking hardware like switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, finding appliances that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so any looming issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can save as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior machine learning tools to guard endpoint devices and servers and VMs against modern malware attacks like ransomware and email phishing, which easily escape traditional signature-matching AV products. Progent Active Security Monitoring services protect local and cloud resources and offers a unified platform to automate the entire threat progression including blocking, identification, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Help Desk managed services enable your IT group to outsource Call Center services to Progent or divide activity for support services transparently between your in-house support staff and Progent's nationwide pool of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent supplement to your core support organization. User access to the Help Desk, delivery of support, issue escalation, trouble ticket creation and updates, efficiency metrics, and management of the support database are consistent whether incidents are resolved by your core network support organization, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. Besides optimizing the security and functionality of your computer environment, Progent's patch management services allow your in-house IT team to concentrate on more strategic projects and tasks that deliver maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a secured application and enter your password you are asked to verify your identity on a unit that only you possess and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized as this added form of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You can designate multiple validation devices. To learn more about Duo identity authentication services, refer to Duo MFA two-factor authentication services for access security.
For 24/7 Addison Crypto Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.