Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyberplague that represents an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still cause harm. Modern variants of ransomware like Ryuk and Hermes, as well as frequent unnamed newcomers, not only encrypt online files but also infiltrate most configured system backups. Information replicated to the cloud can also be encrypted. In a vulnerable environment, this can render automated restoration useless and effectively knocks the network back to square one.

Getting back online programs and information after a ransomware intrusion becomes a race against time as the targeted organization tries its best to stop lateral movement and clear the ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to replicate, attacks are frequently sprung during weekends and nights, when penetrations may take more time to recognize. This multiplies the difficulty of promptly assembling and coordinating a capable mitigation team.

Progent has a range of services for securing businesses from ransomware penetrations. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with machine learning technology to automatically identify and quarantine zero-day threats. Progent in addition can provide the services of seasoned crypto-ransomware recovery consultants with the talent and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to unencrypt any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the key elements of your IT environment. Absent access to essential information backups, this requires a wide range of skills, top notch team management, and the willingness to work continuously until the job is completed.

For decades, Progent has provided professional Information Technology services for businesses in Broomfield and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly ascertain necessary systems and integrate the remaining pieces of your computer network environment following a ransomware penetration and configure them into an operational system.

Progent's ransomware team of experts uses top notch project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of working rapidly and in unison with a client's management and IT team members to prioritize tasks and to put essential services back online as fast as humanly possible.

Client Story: A Successful Ransomware Attack Restoration
A business hired Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, suspected of using technology exposed from Americaís National Security Agency. Ryuk targets specific organizations with little tolerance for disruption and is one of the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing processes. Most of the client's information backups had been online at the time of the attack and were encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end engaged Progent.


"I cannot tell you enough in regards to the help Progent provided us during the most stressful time of (our) businesses survival. We would have paid the Hackers except for the confidence the Progent group afforded us. That you could get our e-mail and production applications back into operation in less than five days was incredible. Every single staff member I talked with or e-mailed at Progent was laser focused on getting my company operational and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly get our arms around and assign priority to the essential areas that needed to be addressed in order to restart company functions:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To get going, Progent adhered to Anti-virus event mitigation best practices by halting lateral movement and performing virus removal steps. Progent then started the steps of bringing back online Microsoft AD, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the client's financials and MRP software used Microsoft SQL Server, which requires Active Directory services for security authorization to the database.

Within two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then helped perform rebuilding and storage recovery of the most important systems. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on team PCs in order to recover email information. A recent off-line backup of the customerís accounting software made it possible to recover these vital programs back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, essential services were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer sales."

Over the following couple of weeks key milestones in the recovery project were completed through tight cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Exchange Server containing more than 4 million archived emails was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory functions were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the desktops and laptops were back into operation.

"A lot of what transpired in the initial days is mostly a blur for me, but my team will not soon forget the countless hours each of your team accomplished to help get our company back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This event was a stunning achievement."

Conclusion
A probable business-killing disaster was dodged due to top-tier experts, a wide range of IT skills, and tight teamwork. Although in retrospect the ransomware incident described here should have been stopped with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, user training, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we made it through the initial push. All of you did an fabulous job, and if anyone is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Broomfield a portfolio of remote monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services include next-generation artificial intelligence capability to uncover zero-day variants of ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack progression including blocking, detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your company's unique requirements and that allows you prove compliance with legal and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates your backup processes and allows rapid restoration of critical data, apps and VMs that have become lost or corrupted due to hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPPA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security vendors to provide centralized management and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of analysis for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that need important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that any looming issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.
For Broomfield 24-7 Crypto-Ransomware Remediation Experts, call Progent at 800-993-9400 or go to Contact Progent.