Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to inflict harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus daily as yet unnamed malware, not only encrypt online data but also infect most available system restores and backups. Data synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed system, this can make automatic restore operations impossible and basically sets the datacenter back to zero.

Getting back applications and information following a crypto-ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to spread, assaults are often launched during nights and weekends, when successful attacks typically take more time to detect. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified response team.

Progent has an assortment of support services for securing organizations from crypto-ransomware events. Among these are user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security appliances with AI capabilities from SentinelOne to identify and disable day-zero cyber threats quickly. Progent also can provide the assistance of experienced ransomware recovery consultants with the talent and perseverance to rebuild a breached environment as urgently as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed keys to unencrypt all your data. Kaspersky determined that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the essential components of your IT environment. Without access to full system backups, this calls for a broad range of skill sets, professional team management, and the willingness to work non-stop until the recovery project is complete.

For twenty years, Progent has made available expert Information Technology services for businesses in Atlanta and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded top certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise provides Progent the skills to quickly understand critical systems and re-organize the surviving parts of your IT environment after a ransomware event and configure them into a functioning system.

Progent's recovery team of experts utilizes top notch project management tools to coordinate the complicated recovery process. Progent appreciates the importance of acting quickly and together with a client's management and IT team members to prioritize tasks and to get essential systems back online as fast as possible.

Case Study: A Successful Crypto-Ransomware Incident Response
A client contacted Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored criminal gangs, possibly adopting algorithms exposed from America's National Security Agency. Ryuk attacks specific companies with limited ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago with about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I cannot say enough in regards to the expertise Progent gave us during the most critical time of (our) company's existence. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent team gave us. The fact that you were able to get our e-mail and important servers back online quicker than a week was earth shattering. Each person I spoke to or e-mailed at Progent was amazingly focused on getting us working again and was working 24 by 7 to bail us out."

Progent worked together with the customer to quickly identify and prioritize the most important services that needed to be recovered to make it possible to restart business functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the work of restoring Windows Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the businesses' accounting and MRP software used Microsoft SQL, which needs Windows AD for authentication to the information.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery of key systems. All Exchange data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops to recover email information. A recent off-line backup of the customer's financials/ERP software made it possible to recover these essential applications back on-line. Although a lot of work remained to recover totally from the Ryuk damage, essential services were restored rapidly:


"For the most part, the production operation did not miss a beat and we made all customer sales."

During the next few weeks critical milestones in the restoration project were made through close collaboration between Progent consultants and the client:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100% functional.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the user desktops were functioning as before the incident.

"A lot of what transpired those first few days is mostly a fog for me, but my team will not forget the countless hours all of the team put in to help get our business back. I have trusted Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible business extinction catastrophe was dodged due to top-tier professionals, a broad range of knowledge, and tight teamwork. Although in hindsight the ransomware virus attack described here would have been identified and disabled with advanced security solutions and recognized best practices, user training, and well thought out security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for allowing me to get rested after we made it through the most critical parts. All of you did an incredible effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Atlanta a variety of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence technology to uncover new strains of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily escape legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to address the entire threat progression including filtering, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and enable transparent backup and rapid recovery of critical files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to deliver web-based management and world-class protection for your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of inspection for inbound email. For outbound email, the local security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, optimize and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, client computers and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network maps are kept updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating complex management activities, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating devices that need critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT staff and your assigned Progent engineering consultant so all potential issues can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning tools to guard endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based AV products. Progent ASM services safeguard local and cloud-based resources and offers a single platform to manage the entire malware attack progression including blocking, detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Call Desk services permit your IT staff to outsource Help Desk services to Progent or split responsibilities for support services seamlessly between your in-house network support staff and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth extension of your core IT support resources. Client interaction with the Help Desk, provision of support services, problem escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your in-house IT support group, by Progent, or both. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of all sizes a versatile and affordable alternative for evaluating, testing, scheduling, applying, and documenting updates to your dynamic information network. In addition to maximizing the security and reliability of your IT environment, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a secured application and give your password you are asked to verify your identity via a device that only you have and that is accessed using a separate network channel. A broad range of devices can be utilized as this second means of authentication such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate several validation devices. To find out more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication services for access security.
For 24x7x365 Atlanta Crypto-Ransomware Repair Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.