Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses vulnerable to an attack. Versions of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with additional unnamed viruses, not only encrypt online critical data but also infiltrate many accessible system protection mechanisms. Information synched to the cloud can also be corrupted. In a poorly architected environment, it can render any recovery useless and effectively knocks the network back to square one.

Restoring programs and information following a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to contain the damage and clear the ransomware and to resume mission-critical operations. Because ransomware needs time to replicate, penetrations are usually sprung during nights and weekends, when successful penetrations typically take more time to discover. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.

Progent provides a variety of support services for protecting businesses from crypto-ransomware events. These include team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with AI technology from SentinelOne to discover and disable zero-day cyber threats automatically. Progent also provides the assistance of veteran ransomware recovery engineers with the talent and perseverance to rebuild a breached system as soon as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware attack, paying the ransom in cryptocurrency does not guarantee that cyber hackers will return the keys to decipher all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the key components of your IT environment. Without the availability of full system backups, this calls for a broad range of IT skills, professional team management, and the capability to work continuously until the job is done.

For twenty years, Progent has made available expert IT services for businesses in Cleveland and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise affords Progent the skills to knowledgably determine critical systems and organize the remaining components of your Information Technology system after a ransomware event and assemble them into an operational system.

Progent's security group deploys top notch project management tools to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and together with a client's management and Information Technology staff to assign priority to tasks and to get the most important services back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Penetration Recovery
A customer sought out Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored criminal gangs, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk attacks specific businesses with little ability to sustain operational disruption and is among the most profitable incarnations of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and wishfully thinking for good luck, but ultimately called Progent.


"I cannot tell you enough in regards to the expertise Progent gave us during the most fearful period of (our) businesses life. We may have had to pay the criminal gangs if not for the confidence the Progent team gave us. That you could get our messaging and essential servers back online in less than one week was incredible. Each consultant I got help from or communicated with at Progent was amazingly focused on getting my company operational and was working day and night to bail us out."

Progent worked together with the client to quickly assess and assign priority to the key services that needed to be recovered in order to restart company operations:

  • Active Directory (AD)
  • E-Mail
  • Financials/MRP
To start, Progent followed AV/Malware Processes penetration mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then began the work of bringing back online Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the customer's accounting and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory for access to the database.

In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then assisted with reinstallations and storage recovery on essential applications. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect local OST data files (Outlook Off-Line Data Files) on user workstations to recover email information. A recent offline backup of the businesses financials/MRP software made them able to recover these required applications back online for users. Although major work was left to recover completely from the Ryuk damage, core systems were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer sales."

Over the next few weeks important milestones in the restoration project were made through tight cooperation between Progent engineers and the client:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Server with over four million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the desktops and laptops were fully operational.

"A lot of what happened that first week is mostly a fog for me, but my team will not forget the care each of the team put in to give us our company back. I've entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely business-ending disaster was averted due to top-tier professionals, a wide range of knowledge, and close teamwork. Although in post mortem the crypto-ransomware incident detailed here would have been prevented with advanced security technology and ISO/IEC 27001 best practices, team training, and well thought out security procedures for data protection and proper patching controls, the fact is that state-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has proven experience in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get some sleep after we made it past the initial fire. Everyone did an impressive job, and if any of your guys is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Cleveland a variety of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover new variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to manage the complete threat progression including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup technology companies to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and allow transparent backup and rapid recovery of important files, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security companies to provide web-based management and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, enhance and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding devices that need important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT staff and your assigned Progent consultant so all looming problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save as much as half of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates cutting edge behavior-based analysis tools to defend endpoints as well as servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to manage the complete threat progression including blocking, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Call Desk services enable your IT group to outsource Call Center services to Progent or split activity for Service Desk support transparently between your internal support resources and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless extension of your in-house network support team. End user interaction with the Help Desk, provision of technical assistance, issue escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your corporate network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of any size a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. In addition to maximizing the security and reliability of your IT network, Progent's software/firmware update management services permit your IT staff to focus on more strategic projects and activities that derive the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation on iOS, Google Android, and other personal devices. Using 2FA, when you sign into a protected application and give your password you are asked to verify who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be used for this second form of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register several verification devices. For details about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
For 24x7x365 Cleveland Ransomware Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.