Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an existential danger for businesses unprepared for an assault. Different versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still cause havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional unnamed malware, not only do encryption of on-line files but also infiltrate many accessible system protection mechanisms. Information replicated to cloud environments can also be ransomed. In a poorly designed environment, it can render automatic recovery impossible and basically sets the entire system back to zero.

Getting back on-line programs and information after a ransomware event becomes a race against time as the targeted business struggles to contain the damage and remove the crypto-ransomware and to resume enterprise-critical activity. Because crypto-ransomware takes time to spread, penetrations are usually sprung on weekends, when successful attacks typically take more time to discover. This compounds the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent offers a variety of support services for securing businesses from ransomware penetrations. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security gateways with machine learning capabilities from SentinelOne to discover and extinguish zero-day threats rapidly. Progent also can provide the assistance of experienced ransomware recovery consultants with the talent and perseverance to restore a breached environment as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware event, paying the ransom in cryptocurrency does not ensure that cyber criminals will return the codes to decipher all your information. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the critical parts of your Information Technology environment. Without access to complete information backups, this calls for a broad complement of skills, well-coordinated team management, and the willingness to work continuously until the task is done.

For twenty years, Progent has provided professional Information Technology services for companies in Toledo and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise affords Progent the capability to rapidly identify necessary systems and integrate the surviving components of your network environment after a ransomware attack and rebuild them into a functioning system.

Progent's security team utilizes top notch project management applications to orchestrate the complicated restoration process. Progent knows the urgency of working rapidly and in concert with a client's management and Information Technology team members to prioritize tasks and to get key applications back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Virus Response
A business engaged Progent after their network was crashed by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored cybercriminals, suspected of adopting algorithms leaked from America's National Security Agency. Ryuk targets specific companies with limited ability to sustain disruption and is among the most profitable examples of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has around 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I cannot tell you enough about the support Progent provided us during the most stressful period of (our) businesses life. We had little choice but to pay the criminal gangs except for the confidence the Progent group afforded us. That you could get our messaging and essential servers back quicker than five days was amazing. Every single staff member I interacted with or e-mailed at Progent was totally committed on getting us restored and was working day and night to bail us out."

Progent worked hand in hand the customer to rapidly get our arms around and prioritize the most important systems that needed to be restored to make it possible to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the steps of rebuilding Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' MRP software leveraged SQL Server, which requires Active Directory for security authorization to the data.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then assisted with setup and hard drive recovery on the most important servers. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops in order to recover email messages. A not too old off-line backup of the client's financials/ERP systems made it possible to return these essential services back online. Although a large amount of work remained to recover fully from the Ryuk virus, essential systems were recovered rapidly:


"For the most part, the production operation was never shut down and we did not miss any customer deliverables."

During the following couple of weeks critical milestones in the recovery project were completed through close collaboration between Progent team members and the customer:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were fully operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user workstations were fully operational.

"So much of what occurred that first week is mostly a haze for me, but my management will not soon forget the commitment each and every one of your team accomplished to help get our business back. I've trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A probable business disaster was avoided through the efforts of top-tier experts, a wide range of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware attack detailed here should have been identified and disabled with advanced cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well designed security procedures for data protection and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we made it over the initial push. All of you did an amazing effort, and if anyone is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Toledo a portfolio of remote monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to detect new strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific needs and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also assist you to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and allow non-disruptive backup and rapid restoration of vital files/folders, applications, images, and VMs. ProSight DPS helps you recover from data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and debug their networking hardware like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, locating appliances that require critical updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network operating efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT management personnel and your Progent consultant so that all potential problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time spent looking for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior analysis technology to defend endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. Progent ASM services safeguard local and cloud resources and provides a unified platform to manage the complete threat lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Support Desk Managed Services
    Progent's Help Center services allow your IT staff to offload Help Desk services to Progent or split activity for Help Desk services transparently between your internal network support team and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your core network support resources. Client access to the Help Desk, provision of support, issue escalation, ticket generation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are resolved by your internal IT support resources, by Progent's team, or both. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of any size a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. Besides maximizing the security and reliability of your IT network, Progent's software/firmware update management services permit your IT staff to focus on line-of-business projects and activities that derive maximum business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, whenever you log into a secured online account and enter your password you are asked to confirm your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized for this added form of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For more information about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of in-depth management reporting utilities created to work with the top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Toledo 24-7 CryptoLocker Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.