Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an enterprise-level threat for businesses unprepared for an attack. Versions of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still cause harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more unnamed viruses, not only encrypt on-line files but also infiltrate any configured system protection mechanisms. Files replicated to cloud environments can also be ransomed. In a poorly designed system, this can render any restoration hopeless and basically knocks the network back to square one.

Recovering applications and data following a crypto-ransomware attack becomes a race against the clock as the targeted organization tries its best to stop lateral movement and remove the virus and to restore business-critical operations. Because ransomware needs time to spread, assaults are usually sprung on weekends and holidays, when penetrations tend to take more time to discover. This multiplies the difficulty of quickly assembling and organizing a capable mitigation team.

Progent offers an assortment of solutions for protecting businesses from crypto-ransomware penetrations. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning technology from SentinelOne to identify and suppress new threats automatically. Progent also can provide the assistance of seasoned crypto-ransomware recovery professionals with the track record and perseverance to restore a breached system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware event, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to unencrypt any of your information. Kaspersky ascertained that seventeen percent of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the essential parts of your IT environment. Absent access to full information backups, this requires a wide range of skills, well-coordinated team management, and the capability to work 24x7 until the task is completed.

For twenty years, Progent has offered expert IT services for companies in Anchorage and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise provides Progent the ability to rapidly ascertain critical systems and consolidate the remaining parts of your network environment after a ransomware event and assemble them into a functioning network.

Progent's security team of experts uses best of breed project management systems to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and in concert with a customer�s management and Information Technology team members to prioritize tasks and to put the most important systems back on line as fast as possible.

Case Study: A Successful Ransomware Intrusion Response
A client hired Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no tolerance for operational disruption and is among the most lucrative iterations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with around 500 employees. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end brought in Progent.


"I can�t say enough in regards to the help Progent gave us during the most stressful period of (our) company�s life. We had little choice but to pay the cyber criminals if it wasn�t for the confidence the Progent team provided us. The fact that you were able to get our e-mail and key applications back online in less than five days was beyond my wildest dreams. Every single consultant I worked with or texted at Progent was absolutely committed on getting us back on-line and was working non-stop to bail us out."

Progent worked with the client to quickly understand and prioritize the mission critical elements that had to be addressed in order to restart company functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To begin, Progent adhered to ransomware penetration mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the process of restoring Microsoft AD, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businesses� accounting and MRP applications used Microsoft SQL Server, which depends on Active Directory services for access to the information.

In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then performed rebuilding and storage recovery on mission critical servers. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Data Files) on user PCs and laptops to recover mail information. A not too old off-line backup of the client's manufacturing systems made it possible to restore these vital programs back online for users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, core systems were recovered rapidly:


"For the most part, the production line operation did not miss a beat and we delivered all customer shipments."

Throughout the following couple of weeks important milestones in the recovery project were completed through close collaboration between Progent engineers and the client:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Exchange Server with over 4 million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were 100% operational.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the desktop computers were back into operation.

"Much of what happened those first few days is mostly a haze for me, but we will not forget the care each of the team accomplished to give us our business back. I�ve been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."

Conclusion
A probable business-ending catastrophe was dodged due to hard-working experts, a wide array of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware attack described here could have been prevented with current cyber security solutions and security best practices, staff education, and properly executed incident response procedures for data backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I�m grateful for making it so I could get some sleep after we got past the first week. Everyone did an incredible effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Anchorage a portfolio of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize modern AI capability to uncover new strains of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete malware attack progression including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your organization's unique requirements and that allows you demonstrate compliance with government and industry information protection standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent's consultants can also assist you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology companies to create ProSight Data Protection Services, a selection of offerings that deliver backup-as-a-service. ProSight DPS products manage and track your backup processes and enable non-disruptive backup and rapid recovery of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or application glitches. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to provide centralized control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are kept current, copies and displays the configuration of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating devices that require important software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so any looming problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based machine learning tools to defend endpoints and physical and virtual servers against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Support Desk services enable your IT staff to outsource Call Center services to Progent or divide responsibilities for support services transparently between your internal network support staff and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent extension of your corporate IT support organization. End user interaction with the Help Desk, provision of support, issue escalation, ticket creation and tracking, performance metrics, and maintenance of the support database are cohesive whether incidents are resolved by your core IT support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and activities that deliver maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Android, and other personal devices. Using 2FA, whenever you sign into a secured application and give your password you are requested to verify your identity via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this second form of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. For more information about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services for access security.
For Anchorage 24/7/365 Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.