Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that represents an enterprise-level threat for businesses poorly prepared for an assault. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with additional unnamed newcomers, not only encrypt online data but also infect all available system protection mechanisms. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly architected system, it can make any recovery hopeless and effectively sets the datacenter back to square one.

Restoring services and data following a crypto-ransomware attack becomes a race against the clock as the targeted business struggles to contain the damage and remove the ransomware and to restore enterprise-critical operations. Because ransomware requires time to spread, penetrations are usually sprung during weekends and nights, when successful penetrations typically take more time to recognize. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent offers a range of services for protecting businesses from crypto-ransomware attacks. These include user training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security gateways with artificial intelligence technology to automatically identify and quarantine day-zero cyber attacks. Progent in addition can provide the services of seasoned ransomware recovery consultants with the skills and perseverance to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the keys to decipher all your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the essential parts of your Information Technology environment. Without access to full system backups, this calls for a wide complement of skills, professional team management, and the ability to work non-stop until the job is completed.

For two decades, Progent has made available certified expert Information Technology services for businesses in Boise and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably understand critical systems and re-organize the surviving parts of your IT environment after a crypto-ransomware attack and configure them into an operational network.

Progent's security group uses powerful project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of working swiftly and together with a customerís management and IT resources to prioritize tasks and to get key systems back online as soon as possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A small business contacted Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state sponsored criminal gangs, suspected of using strategies leaked from Americaís National Security Agency. Ryuk attacks specific organizations with little or no tolerance for operational disruption and is among the most lucrative versions of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the intrusion and were eventually encrypted. The client considered paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately engaged Progent.


"I cannot speak enough in regards to the care Progent provided us throughout the most stressful time of (our) companyís life. We would have paid the Hackers except for the confidence the Progent team afforded us. The fact that you could get our e-mail system and essential servers back quicker than 1 week was amazing. Every single staff member I spoke to or texted at Progent was amazingly focused on getting us operational and was working all day and night on our behalf."

Progent worked together with the client to rapidly get our arms around and prioritize the most important elements that needed to be recovered to make it possible to restart departmental operations:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by isolating and removing active viruses. Progent then initiated the steps of rebuilding Windows Active Directory, the core of enterprise environments built on Microsoft technology. Exchange messaging will not work without Active Directory, and the client's accounting and MRP system leveraged Microsoft SQL Server, which needs Active Directory services for security authorization to the database.

In less than two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then helped perform rebuilding and storage recovery of essential systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Folder Files) on staff desktop computers in order to recover email data. A recent off-line backup of the client's financials/ERP systems made them able to restore these required programs back available to users. Although a lot of work still had to be done to recover totally from the Ryuk attack, core systems were recovered quickly:


"For the most part, the production operation never missed a beat and we delivered all customer deliverables."

Over the next month critical milestones in the restoration process were made in tight collaboration between Progent consultants and the customer:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Exchange Server containing more than four million archived messages was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • 90% of the user PCs were being used by staff.

"So much of what was accomplished that first week is mostly a blur for me, but our team will not soon forget the dedication each and every one of you accomplished to give us our company back. Iíve entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This time was the most impressive ever."

Conclusion
A potential enterprise-killing disaster was dodged due to results-oriented professionals, a wide spectrum of IT skills, and close collaboration. Although in post mortem the ransomware incident described here should have been shut down with current cyber security technology solutions and best practices, user and IT administrator education, and appropriate incident response procedures for data protection and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thanks very much for allowing me to get some sleep after we made it through the most critical parts. Everyone did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Boise a variety of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation AI capability to uncover zero-day strains of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through cutting-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you demonstrate compliance with legal and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also assist you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates your backup processes and allows rapid restoration of critical data, applications and VMs that have become lost or damaged due to hardware failures, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security vendors to provide web-based control and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always current, copies and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating complex management activities, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, finding appliances that require important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management personnel and your Progent consultant so any looming problems can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Boise Crypto Cleanup Services, reach out to Progent at 800-993-9400 or go to Contact Progent.