Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict havoc. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus more unnamed newcomers, not only do encryption of on-line data files but also infiltrate all accessible system restores and backups. Information synched to cloud environments can also be encrypted. In a poorly architected system, this can make automated restoration useless and basically sets the datacenter back to zero.

Retrieving applications and information following a crypto-ransomware outage becomes a sprint against the clock as the targeted business struggles to contain the damage and clear the ransomware and to restore mission-critical operations. Since crypto-ransomware takes time to move laterally, penetrations are often sprung during weekends and nights, when successful attacks in many cases take longer to identify. This compounds the difficulty of rapidly mobilizing and orchestrating a knowledgeable mitigation team.

Progent has a variety of services for protecting businesses from ransomware penetrations. Among these are staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security appliances with machine learning capabilities to automatically identify and extinguish new cyber threats. Progent in addition offers the assistance of experienced ransomware recovery engineers with the talent and perseverance to re-deploy a breached network as soon as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the critical components of your IT environment. Without the availability of essential data backups, this calls for a broad complement of IT skills, professional team management, and the ability to work non-stop until the recovery project is complete.

For two decades, Progent has made available expert Information Technology services for businesses in Bellevue and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise provides Progent the skills to efficiently understand critical systems and re-organize the remaining pieces of your network environment after a ransomware penetration and assemble them into an operational network.

Progent's recovery group has state-of-the-art project management systems to coordinate the complex restoration process. Progent knows the urgency of acting swiftly and in concert with a client's management and IT resources to prioritize tasks and to get key applications back on line as fast as possible.

Customer Case Study: A Successful Ransomware Incident Restoration
A business engaged Progent after their organization was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state hackers, possibly using strategies exposed from the United States NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is one of the most lucrative versions of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area and has about 500 employees. The Ryuk intrusion had disabled all essential operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (more than $200,000) and praying for good luck, but in the end utilized Progent.


"I canít tell you enough in regards to the help Progent gave us during the most stressful period of (our) companyís life. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you could get our messaging and key servers back on-line in less than one week was something I thought impossible. Every single staff member I worked with or messaged at Progent was hell bent on getting us restored and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly understand and assign priority to the key areas that needed to be restored to make it possible to restart business operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent adhered to Anti-virus incident response industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the work of bringing back online Microsoft AD, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the customerís MRP software utilized Microsoft SQL, which needs Active Directory services for authentication to the databases.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then completed rebuilding and hard drive recovery on critical applications. All Exchange data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Offline Folder Files) on user PCs to recover mail data. A recent offline backup of the customerís accounting software made it possible to restore these vital programs back online for users. Although significant work needed to be completed to recover fully from the Ryuk virus, the most important services were recovered quickly:


"For the most part, the assembly line operation did not miss a beat and we delivered all customer shipments."

Throughout the following few weeks important milestones in the restoration process were completed through tight collaboration between Progent engineers and the customer:

  • In-house web sites were restored without losing any information.
  • The MailStore Exchange Server exceeding 4 million historical emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100% functional.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the user desktops were back into operation.

"So much of what happened that first week is mostly a blur for me, but my team will not soon forget the urgency each of your team put in to help get our business back. I have been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely business disaster was averted with dedicated experts, a wide array of IT skills, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware incident detailed here should have been prevented with advanced security solutions and recognized best practices, staff training, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for allowing me to get some sleep after we made it through the initial push. All of you did an impressive effort, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Bellevue a range of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services include modern artificial intelligence capability to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to automate the complete threat lifecycle including protection, detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that helps you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost and fully managed solution for secure backup/disaster recovery. For a low monthly price, ProSight DPS automates and monitors your backup activities and enables fast restoration of critical data, apps and virtual machines that have become unavailable or corrupted due to component failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's BDR specialists can provide world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to provide centralized management and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a further level of inspection for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and troubleshoot their connectivity appliances such as routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating appliances that require critical updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Bellevue 24-Hour Ransomware Recovery Consultants, contact Progent at 800-993-9400 or go to Contact Progent.