Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that poses an existential threat for businesses unprepared for an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and still cause havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, plus frequent unnamed malware, not only do encryption of on-line data files but also infect all available system restores and backups. Information synched to cloud environments can also be encrypted. In a poorly designed data protection solution, it can make automatic restore operations hopeless and basically sets the network back to square one.

Getting back programs and information following a ransomware attack becomes a sprint against the clock as the targeted organization tries its best to stop the spread and remove the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware needs time to spread, attacks are usually sprung on weekends and holidays, when successful attacks may take more time to recognize. This compounds the difficulty of rapidly assembling and orchestrating an experienced mitigation team.

Progent has an assortment of support services for protecting enterprises from ransomware events. Among these are staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with AI technology to intelligently detect and suppress day-zero threats. Progent in addition provides the assistance of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a compromised network as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the codes to decrypt all your files. Kaspersky ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the vital parts of your Information Technology environment. Without the availability of complete system backups, this calls for a broad complement of skill sets, well-coordinated project management, and the willingness to work 24x7 until the recovery project is complete.

For two decades, Progent has made available expert IT services for companies in Anchorage and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise affords Progent the skills to rapidly understand necessary systems and consolidate the surviving pieces of your IT system following a ransomware penetration and configure them into a functioning network.

Progent's ransomware group utilizes best of breed project management applications to orchestrate the complicated restoration process. Progent knows the urgency of acting rapidly and together with a customerís management and Information Technology team members to assign priority to tasks and to get the most important services back on line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Penetration Restoration
A client engaged Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, possibly using technology exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little ability to sustain operational disruption and is one of the most profitable examples of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago with around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but ultimately reached out to Progent.


"I canít thank you enough about the care Progent provided us during the most stressful time of (our) companyís existence. We had little choice but to pay the hackers behind this attack except for the confidence the Progent team gave us. That you were able to get our e-mail system and essential applications back into operation quicker than one week was something I thought impossible. Every single person I interacted with or messaged at Progent was urgently focused on getting my company operational and was working 24 by 7 on our behalf."

Progent worked with the client to quickly identify and prioritize the critical systems that had to be recovered in order to continue departmental operations:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident response best practices by halting the spread and disinfecting systems. Progent then began the steps of bringing back online Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the customerís MRP applications leveraged SQL Server, which needs Windows AD for access to the data.

In less than two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then accomplished rebuilding and storage recovery on key systems. All Microsoft Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Off-Line Data Files) on user workstations to recover email data. A recent offline backup of the customerís manufacturing software made it possible to restore these essential services back online. Although major work remained to recover totally from the Ryuk virus, the most important systems were restored rapidly:


"For the most part, the production operation was never shut down and we did not miss any customer shipments."

Throughout the next few weeks key milestones in the recovery process were completed in tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Server containing more than four million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory capabilities were completely restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user desktops and notebooks were fully operational.

"So much of what happened during the initial response is nearly entirely a blur for me, but we will not forget the commitment each of the team put in to help get our business back. Iíve been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was a life saver."

Conclusion
A likely company-ending catastrophe was averted due to dedicated professionals, a broad array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware virus penetration described here should have been identified and prevented with current cyber security technology and security best practices, user training, and well thought out security procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thank you for letting me get some sleep after we got over the most critical parts. Everyone did an fabulous job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Anchorage a range of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services include next-generation machine learning capability to uncover new variants of crypto-ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to address the entire malware attack progression including blocking, detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent can also assist you to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly price, ProSight DPS automates and monitors your backup processes and allows rapid recovery of critical data, apps and VMs that have become unavailable or corrupted due to hardware failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to deliver web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, enhance and debug their connectivity hardware like routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are detected. By automating complex management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding devices that require important software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management technology to help keep your network running at peak levels by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so all potential issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.
For 24/7/365 Anchorage Ransomware Cleanup Services, reach out to Progent at 800-462-8800 or go to Contact Progent.