Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes unprepared for an attack. Different versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as daily as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate many accessible system restores and backups. Information synched to the cloud can also be rendered useless. In a poorly designed environment, it can render automatic restore operations hopeless and effectively sets the entire system back to zero.

Getting back on-line services and information following a ransomware outage becomes a sprint against time as the targeted business tries its best to stop lateral movement and clear the ransomware and to restore business-critical activity. Because ransomware requires time to spread, attacks are frequently sprung during nights and weekends, when penetrations tend to take longer to uncover. This compounds the difficulty of quickly marshalling and organizing a qualified response team.

Progent has a variety of solutions for securing businesses from ransomware events. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security solutions with AI technology to rapidly detect and suppress new threats. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and commitment to rebuild a breached system as soon as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will provide the codes to decrypt any or all of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the vital elements of your Information Technology environment. Without access to essential data backups, this calls for a wide range of skill sets, professional team management, and the willingness to work continuously until the recovery project is finished.

For two decades, Progent has made available professional IT services for companies in Brighton and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise affords Progent the skills to quickly determine critical systems and re-organize the surviving components of your network environment after a crypto-ransomware penetration and configure them into an operational system.

Progent's ransomware group has best of breed project management tools to coordinate the sophisticated restoration process. Progent understands the importance of working quickly and together with a client's management and Information Technology staff to assign priority to tasks and to put essential applications back online as fast as humanly possible.

Case Study: A Successful Ransomware Attack Restoration
A customer contacted Progent after their company was crashed by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is among the most profitable iterations of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago and has around 500 staff members. The Ryuk event had brought down all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and hoping for good luck, but in the end reached out to Progent.


"I cannot say enough about the help Progent provided us during the most fearful period of (our) businesses survival. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and essential applications back into operation sooner than one week was something I thought impossible. Each person I talked with or texted at Progent was urgently focused on getting our company operational and was working 24 by 7 on our behalf."

Progent worked with the customer to quickly assess and prioritize the essential systems that had to be recovered in order to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and removing active viruses. Progent then initiated the task of recovering Microsoft AD, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the businessesí MRP system leveraged Microsoft SQL Server, which depends on Windows AD for access to the data.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated setup and storage recovery of key systems. All Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST data files (Outlook Offline Data Files) on staff workstations in order to recover email data. A recent off-line backup of the client's accounting systems made it possible to recover these required programs back servicing users. Although major work needed to be completed to recover totally from the Ryuk damage, the most important systems were recovered quickly:


"For the most part, the production operation was never shut down and we did not miss any customer shipments."

Over the next month important milestones in the recovery project were completed through tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100% operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the user desktops were operational.

"So much of what happened that first week is mostly a haze for me, but I will not forget the urgency each of you accomplished to help get our business back. I have been working with Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible business-ending disaster was dodged by dedicated professionals, a broad range of technical expertise, and close collaboration. Although in hindsight the crypto-ransomware virus incident described here could have been prevented with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed incident response procedures for information backup and proper patching controls, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for letting me get some sleep after we got over the first week. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Brighton a range of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to detect zero-day variants of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to automate the entire threat progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical multi-layer security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate attention. Progent's consultants can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology providers to produce ProSight Data Protection Services, a portfolio of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and enable transparent backup and rapid recovery of critical files, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized control and world-class security for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from reaching your network firewall. This decreases your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their networking hardware such as routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious network management activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding devices that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your network running at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT staff and your Progent engineering consultant so all looming issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can save up to 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard endpoints as well as physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to automate the complete threat lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Support Desk managed services permit your information technology staff to outsource Support Desk services to Progent or divide responsibilities for support services transparently between your in-house network support team and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Service Desk provides a seamless extension of your internal IT support group. End user interaction with the Service Desk, delivery of technical assistance, issue escalation, ticket creation and tracking, efficiency metrics, and management of the support database are cohesive regardless of whether issues are taken care of by your core network support group, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your computer network, Progent's patch management services allow your in-house IT team to focus on line-of-business initiatives and activities that deliver maximum business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a secured online account and give your password you are requested to verify your identity via a device that only you have and that uses a separate network channel. A wide selection of devices can be utilized as this added means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
For 24/7/365 Brighton CryptoLocker Remediation Services, contact Progent at 800-462-8800 or go to Contact Progent.