Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause harm. The latest versions of ransomware such as Ryuk and Hermes, along with frequent unnamed newcomers, not only do encryption of on-line data but also infect most accessible system backup. Data synched to the cloud can also be encrypted. In a poorly architected system, it can render automatic restoration useless and basically knocks the entire system back to zero.

Getting back programs and data after a ransomware intrusion becomes a sprint against time as the targeted organization struggles to contain and clear the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware takes time to replicate, assaults are usually sprung on weekends and holidays, when attacks in many cases take more time to recognize. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.

Progent offers a range of help services for protecting businesses from ransomware events. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with artificial intelligence technology to automatically detect and suppress zero-day cyber threats. Progent in addition provides the assistance of veteran ransomware recovery professionals with the talent and perseverance to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the keys to decipher any or all of your data. Kaspersky ascertained that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the critical elements of your Information Technology environment. Without the availability of full data backups, this calls for a wide range of skill sets, top notch team management, and the willingness to work non-stop until the task is complete.

For twenty years, Progent has offered professional Information Technology services for companies in Boise and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise gives Progent the ability to quickly ascertain critical systems and organize the surviving components of your computer network system after a ransomware attack and assemble them into a functioning network.

Progent's recovery team of experts has top notch project management tools to orchestrate the complex restoration process. Progent understands the importance of working quickly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to get critical services back on line as soon as possible.

Client Story: A Successful Crypto-Ransomware Virus Restoration
A client hired Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored hackers, possibly using approaches leaked from the United States NSA organization. Ryuk goes after specific businesses with little room for disruption and is one of the most profitable instances of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has around 500 employees. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the attack and were damaged. The client considered paying the ransom demand (in excess of $200K) and hoping for the best, but in the end brought in Progent.


"I canít say enough in regards to the help Progent provided us throughout the most fearful period of (our) companyís life. We most likely would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. That you could get our e-mail system and important applications back online faster than a week was incredible. Every single person I talked with or messaged at Progent was laser focused on getting us working again and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to rapidly assess and prioritize the most important applications that needed to be restored to make it possible to resume departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes penetration response best practices by halting lateral movement and cleaning up infected systems. Progent then started the process of recovering Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange email will not operate without Active Directory, and the client's accounting and MRP system leveraged SQL Server, which depends on Active Directory for authentication to the database.

Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of the most important systems. All Exchange Server schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops to recover email messages. A recent offline backup of the businesses accounting software made them able to restore these required applications back servicing users. Although a large amount of work remained to recover completely from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer shipments."

Throughout the next couple of weeks key milestones in the recovery project were achieved through close cooperation between Progent engineers and the customer:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over four million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control modules were fully operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user workstations were being used by staff.

"A lot of what transpired during the initial response is mostly a blur for me, but our team will not soon forget the urgency all of the team put in to give us our business back. I have been working with Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business disaster was averted by dedicated professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the ransomware incident described here should have been stopped with current cyber security technology and recognized best practices, team education, and well thought out incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of experts has substantial experience in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for making it so I could get some sleep after we made it past the most critical parts. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Boise a range of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover new variants of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely escape traditional signature-matching AV products. ProSight ASM safeguards local and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup activities and allows fast restoration of vital data, applications and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, whenever needed, can help you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to provide web-based management and comprehensive security for all your email traffic. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This decreases your exposure to external threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of inspection for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, locating devices that require important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your network running efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so all looming issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7/365 Boise Ransomware Cleanup Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.