Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause destruction. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with daily unnamed malware, not only do encryption of on-line information but also infect all accessible system protection. Data synchronized to cloud environments can also be ransomed. In a poorly architected environment, it can make any restore operations hopeless and effectively knocks the entire system back to zero.

Retrieving applications and information following a ransomware attack becomes a sprint against time as the targeted business fights to contain and eradicate the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to spread, attacks are frequently sprung on weekends and holidays, when penetrations in many cases take longer to discover. This multiplies the difficulty of rapidly assembling and coordinating an experienced response team.

Progent has an assortment of solutions for securing businesses from ransomware events. These include team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with AI technology to automatically detect and extinguish day-zero cyber attacks. Progent also offers the services of expert ransomware recovery consultants with the talent and perseverance to reconstruct a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to decrypt all your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the vital parts of your IT environment. Without the availability of full system backups, this requires a wide range of IT skills, well-coordinated project management, and the capability to work non-stop until the job is done.

For decades, Progent has provided certified expert IT services for businesses in Anchorage and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably determine critical systems and re-organize the surviving components of your Information Technology environment after a ransomware event and configure them into an operational system.

Progent's ransomware team of experts deploys powerful project management systems to coordinate the complex restoration process. Progent knows the importance of acting quickly and together with a customerís management and Information Technology resources to prioritize tasks and to get critical systems back on line as fast as possible.

Client Story: A Successful Crypto-Ransomware Penetration Response
A business hired Progent after their company was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state criminal gangs, possibly using algorithms exposed from the United States NSA organization. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most profitable examples of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has around 500 staff members. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and hoping for good luck, but in the end called Progent.


"I canít speak enough about the help Progent gave us throughout the most stressful time of (our) businesses existence. We may have had to pay the criminal gangs except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and key servers back online sooner than seven days was something I thought impossible. Every single expert I talked with or messaged at Progent was hell bent on getting us operational and was working non-stop to bail us out."

Progent worked together with the client to rapidly understand and assign priority to the essential elements that needed to be restored in order to resume business operations:

  • Active Directory
  • Electronic Messaging
  • Accounting/MRP
To get going, Progent adhered to ransomware incident mitigation best practices by stopping lateral movement and clearing infected systems. Progent then initiated the work of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft technology. Exchange messaging will not function without Windows AD, and the customerís accounting and MRP applications utilized SQL Server, which needs Active Directory services for authentication to the information.

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then accomplished rebuilding and hard drive recovery on key applications. All Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find local OST data files (Outlook Off-Line Folder Files) on various PCs and laptops in order to recover mail information. A recent offline backup of the businesses accounting/ERP software made it possible to recover these required services back servicing users. Although major work remained to recover totally from the Ryuk damage, core services were returned to operations quickly:


"For the most part, the production operation never missed a beat and we produced all customer sales."

Throughout the following couple of weeks important milestones in the restoration project were achieved in tight collaboration between Progent team members and the customer:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Exchange Server with over four million historical emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100% operational.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the user PCs were back into operation.

"So much of what occurred in the initial days is mostly a fog for me, but my team will not soon forget the dedication each and every one of your team put in to help get our company back. Iíve been working together with Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This event was the most impressive ever."

Conclusion
A potential business disaster was evaded through the efforts of top-tier experts, a wide array of subject matter expertise, and close collaboration. Although in post mortem the ransomware penetration detailed here should have been identified and blocked with modern security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thank you for making it so I could get rested after we made it over the first week. Everyone did an impressive job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Anchorage a range of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services include modern AI technology to uncover zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to automate the complete threat progression including blocking, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your company's unique needs and that helps you prove compliance with government and industry data security standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates and monitors your backup processes and enables fast restoration of critical data, apps and virtual machines that have become lost or corrupted as a result of hardware failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security vendors to deliver web-based control and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of inspection for inbound email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, track, reconfigure and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding devices that need critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your network running efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so that all looming problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can save as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Anchorage Crypto Remediation Services, contact Progent at 800-993-9400 or go to Contact Progent.