Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level threat for organizations poorly prepared for an attack. Versions of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still cause harm. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus more unnamed malware, not only do encryption of on-line information but also infiltrate all available system protection mechanisms. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, this can render automated restore operations useless and basically sets the network back to zero.

Getting back applications and data following a ransomware event becomes a sprint against the clock as the targeted organization tries its best to contain the damage and cleanup the ransomware and to restore mission-critical activity. Since ransomware takes time to spread, penetrations are frequently launched at night, when penetrations tend to take more time to detect. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable response team.

Progent makes available a variety of services for securing businesses from ransomware attacks. Among these are staff training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning technology from SentinelOne to identify and quarantine day-zero cyber attacks automatically. Progent in addition provides the services of expert ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as soon as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that distant criminals will return the keys to decipher any or all of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Without the availability of complete information backups, this calls for a wide range of IT skills, top notch project management, and the capability to work non-stop until the job is completed.

For decades, Progent has offered certified expert IT services for companies in Columbus and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise affords Progent the skills to knowledgably ascertain critical systems and re-organize the surviving parts of your Information Technology environment after a ransomware penetration and configure them into a functioning network.

Progent's ransomware team of experts has best of breed project management systems to coordinate the sophisticated recovery process. Progent knows the importance of working rapidly and in concert with a client's management and IT resources to prioritize tasks and to get essential services back on-line as soon as humanly possible.

Case Study: A Successful Ransomware Penetration Recovery
A customer escalated to Progent after their network system was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored cybercriminals, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk targets specific organizations with little tolerance for disruption and is one of the most lucrative incarnations of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and hoping for good luck, but in the end engaged Progent.


"I can't tell you enough in regards to the expertise Progent gave us during the most critical period of (our) company's life. We would have paid the cybercriminals if not for the confidence the Progent team provided us. That you were able to get our e-mail system and essential applications back in less than one week was beyond my wildest dreams. Each person I interacted with or texted at Progent was totally committed on getting my company operational and was working 24 by 7 on our behalf."

Progent worked with the client to quickly determine and assign priority to the key elements that had to be restored in order to continue business functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to ransomware event mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then started the task of rebuilding Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's financials and MRP software used SQL Server, which depends on Active Directory for security authorization to the data.

Within 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery on the most important servers. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Data Files) on user PCs to recover mail messages. A recent off-line backup of the customer's accounting/MRP systems made it possible to restore these required applications back online for users. Although a lot of work needed to be completed to recover completely from the Ryuk damage, core systems were restored quickly:


"For the most part, the production operation survived unscathed and we delivered all customer orders."

Throughout the next few weeks key milestones in the recovery process were made in close cooperation between Progent engineers and the client:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
  • A new Palo Alto 850 security appliance was set up.
  • Nearly all of the user desktops were functioning as before the incident.

"So much of what went on in the initial days is nearly entirely a fog for me, but my team will not forget the commitment each of the team put in to give us our business back. I've utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This event was a life saver."

Conclusion
A probable company-ending catastrophe was avoided with results-oriented experts, a broad spectrum of technical expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here could have been identified and prevented with modern cyber security technology solutions and security best practices, team training, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for allowing me to get some sleep after we got through the initial push. Everyone did an fabulous job, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Columbus a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence technology to uncover new strains of ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and track your backup operations and enable transparent backup and fast recovery of important files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss caused by hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver web-based control and comprehensive protection for your email traffic. The hybrid structure of Email Guard managed service combines cloud-based filtering with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and troubleshoot their networking appliances like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when issues are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, finding devices that require critical software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your network operating at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT staff and your assigned Progent consultant so any potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect data about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can save up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning technology to defend endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to address the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Support Desk services enable your IT staff to outsource Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house network support staff and Progent's extensive roster of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth supplement to your corporate network support team. End user access to the Service Desk, delivery of support services, issue escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are cohesive whether issues are taken care of by your in-house support organization, by Progent, or by a combination. Read more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. In addition to optimizing the security and reliability of your IT network, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. Using 2FA, when you sign into a protected application and give your password you are requested to confirm who you are on a device that only you have and that uses a different ("out-of-band") network channel. A broad selection of devices can be used as this added form of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can register multiple validation devices. For more information about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services.
For 24x7 Columbus Ransomware Cleanup Consulting, contact Progent at 800-462-8800 or go to Contact Progent.