Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes unprepared for an assault. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for many years and still inflict destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus daily unnamed viruses, not only encrypt online data files but also infect most accessible system protection. Information synched to the cloud can also be ransomed. In a poorly designed environment, this can render automated restore operations impossible and effectively knocks the network back to square one.

Getting back services and information after a crypto-ransomware outage becomes a sprint against time as the victim struggles to stop the spread and eradicate the virus and to resume enterprise-critical activity. Because crypto-ransomware needs time to move laterally, penetrations are frequently sprung at night, when successful penetrations are likely to take longer to detect. This multiplies the difficulty of quickly assembling and coordinating a qualified response team.

Progent provides a range of help services for protecting enterprises from ransomware attacks. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with machine learning technology to automatically discover and extinguish new threats. Progent in addition offers the services of expert ransomware recovery engineers with the skills and perseverance to rebuild a breached network as rapidly as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the keys to decipher all your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the critical elements of your Information Technology environment. Absent access to essential data backups, this calls for a wide complement of IT skills, professional project management, and the willingness to work 24x7 until the job is finished.

For decades, Progent has provided expert IT services for companies in Bellevue and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably understand important systems and re-organize the surviving components of your network system following a ransomware penetration and configure them into a functioning network.

Progent's recovery group utilizes powerful project management tools to orchestrate the complicated restoration process. Progent understands the importance of working quickly and in unison with a customerís management and IT resources to prioritize tasks and to get the most important applications back on-line as soon as possible.

Case Study: A Successful Ransomware Intrusion Response
A customer escalated to Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state hackers, possibly using approaches exposed from the United States NSA organization. Ryuk goes after specific organizations with little ability to sustain operational disruption and is one of the most lucrative iterations of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago and has about 500 workers. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately brought in Progent.


"I canít thank you enough in regards to the expertise Progent provided us during the most critical period of (our) companyís life. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent group provided us. That you were able to get our e-mail and production applications back on-line quicker than seven days was something I thought impossible. Each expert I talked with or messaged at Progent was amazingly focused on getting our company operational and was working day and night to bail us out."

Progent worked hand in hand the client to rapidly determine and assign priority to the essential areas that needed to be addressed in order to continue departmental functions:

  • Active Directory
  • E-Mail
  • MRP System
To start, Progent adhered to AV/Malware Processes incident response best practices by isolating and clearing up compromised systems. Progent then started the work of recovering Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the client's accounting and MRP system leveraged SQL Server, which needs Active Directory for authentication to the database.

Within two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on key servers. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to find local OST data files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops in order to recover email data. A recent off-line backup of the customerís financials/ERP systems made it possible to recover these required services back online. Although major work still had to be done to recover totally from the Ryuk attack, essential services were restored rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer shipments."

During the next couple of weeks key milestones in the recovery project were made through close cooperation between Progent consultants and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Exchange Server with over four million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Nearly all of the user desktops were being used by staff.

"A lot of what was accomplished during the initial response is mostly a fog for me, but I will not soon forget the countless hours each of your team put in to help get our business back. I have trusted Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A possible business extinction catastrophe was dodged due to hard-working professionals, a broad array of knowledge, and close teamwork. Although in analyzing the event afterwards the ransomware attack described here could have been disabled with advanced security solutions and best practices, staff training, and properly executed security procedures for information backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thank you for making it so I could get rested after we got over the most critical parts. All of you did an amazing effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Bellevue a range of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning technology to uncover new strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to automate the complete malware attack progression including filtering, identification, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools packaged within one agent accessible from a single control. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that meets your company's specific needs and that allows you prove compliance with government and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate attention. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup operations and enable transparent backup and fast recovery of vital files/folders, applications, images, and virtual machines. ProSight DPS lets your business avoid data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, human mistakes, malicious insiders, or application glitches. Managed backup services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to provide centralized control and comprehensive security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of inspection for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, monitor, optimize and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding appliances that need critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management staff and your Progent consultant so all potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior analysis tools to defend endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a single platform to address the entire threat lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Help Center managed services enable your IT team to outsource Support Desk services to Progent or divide responsibilities for support services seamlessly between your internal support resources and Progent's nationwide roster of certified IT support engineers and subject matter experts (SBEs). Progent's Shared Help Desk Service offers a smooth extension of your core IT support group. User access to the Service Desk, provision of support services, escalation, trouble ticket creation and updates, efficiency measurement, and management of the service database are cohesive regardless of whether incidents are resolved by your in-house network support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. In addition to optimizing the security and functionality of your computer network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business projects and activities that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using 2FA, when you log into a protected online account and enter your password you are requested to verify who you are via a device that only you have and that uses a different ("out-of-band") network channel. A wide range of out-of-band devices can be used for this second form of authentication including a smartphone or watch, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. For more information about Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24x7x365 Bellevue Crypto-Ransomware Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.