Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that poses an enterprise-level danger for organizations vulnerable to an assault. Different iterations of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to cause havoc. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional unnamed malware, not only do encryption of on-line critical data but also infiltrate many accessible system restores and backups. Files synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can make any restoration hopeless and basically knocks the datacenter back to zero.

Getting back programs and information following a crypto-ransomware event becomes a race against time as the targeted business tries its best to contain and clear the crypto-ransomware and to resume mission-critical activity. Because ransomware requires time to spread, attacks are frequently sprung on weekends and holidays, when attacks tend to take longer to notice. This multiplies the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.

Progent has a variety of solutions for securing businesses from crypto-ransomware events. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with AI technology to rapidly detect and quarantine new cyber attacks. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the track record and commitment to re-deploy a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, sending the ransom in cryptocurrency does not ensure that distant criminals will return the keys to unencrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the mission-critical elements of your IT environment. Without the availability of complete system backups, this calls for a wide range of IT skills, top notch project management, and the willingness to work 24x7 until the recovery project is over.

For twenty years, Progent has made available certified expert Information Technology services for companies in Toledo and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise provides Progent the capability to knowledgably understand necessary systems and integrate the surviving parts of your Information Technology system following a ransomware attack and configure them into an operational network.

Progent's security team of experts deploys top notch project management tools to coordinate the complex restoration process. Progent understands the importance of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to put essential services back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Penetration Restoration
A customer contacted Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean government sponsored cybercriminals, possibly using approaches exposed from Americaís NSA organization. Ryuk attacks specific businesses with little tolerance for disruption and is one of the most profitable versions of ransomware malware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago and has about 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the intrusion and were destroyed. The client considered paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately brought in Progent.


"I cannot speak enough about the support Progent gave us throughout the most stressful period of (our) companyís existence. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent experts afforded us. That you could get our messaging and critical applications back on-line sooner than a week was something I thought impossible. Each consultant I talked with or communicated with at Progent was absolutely committed on getting us back online and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly identify and prioritize the critical systems that needed to be restored in order to restart business functions:

  • Microsoft Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent adhered to ransomware event response best practices by stopping lateral movement and cleaning up infected systems. Progent then started the work of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the client's accounting and MRP applications leveraged Microsoft SQL Server, which needs Active Directory services for security authorization to the databases.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then helped perform setup and storage recovery of critical applications. All Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Outlook Off-Line Folder Files) on staff PCs and laptops in order to recover mail data. A not too old offline backup of the customerís accounting/ERP software made them able to recover these vital applications back online. Although a large amount of work needed to be completed to recover completely from the Ryuk attack, critical services were returned to operations quickly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer orders."

Throughout the next few weeks key milestones in the recovery process were made in tight cooperation between Progent engineers and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Server exceeding four million historical messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were fully restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the user desktops and notebooks were operational.

"A lot of what transpired in the initial days is nearly entirely a fog for me, but we will not soon forget the care each and every one of you accomplished to help get our company back. Iíve been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was a life saver."

Conclusion
A probable company-ending disaster was dodged by dedicated professionals, a wide spectrum of knowledge, and tight collaboration. Although in post mortem the ransomware virus attack described here would have been prevented with current cyber security technology and NIST Cybersecurity Framework best practices, team training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), Iím grateful for allowing me to get some sleep after we made it over the first week. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Toledo a range of online monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize modern machine learning capability to uncover new variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software companies to produce ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your backup operations and allow transparent backup and fast recovery of critical files/folders, applications, system images, and virtual machines. ProSight DPS lets your business recover from data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or software bugs. Managed services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security vendors to provide centralized management and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to diagram, track, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always current, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your IT system running efficiently by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management staff and your assigned Progent consultant so that all potential problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based analysis technology to defend endpoint devices and physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to manage the entire malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Call Desk managed services allow your IT team to outsource Support Desk services to Progent or divide activity for Help Desk services transparently between your in-house network support staff and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth extension of your core support resources. Client access to the Help Desk, provision of support services, issue escalation, ticket creation and tracking, performance metrics, and management of the support database are cohesive whether issues are resolved by your in-house network support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the protection and reliability of your IT environment, Progent's software/firmware update management services permit your IT staff to focus on line-of-business projects and tasks that derive the highest business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation with iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected application and give your password you are requested to confirm who you are on a unit that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be used for this second means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register several verification devices. For details about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.
For Toledo 24/7 Crypto Remediation Consultants, contact Progent at 800-462-8800 or go to Contact Progent.