Ransomware : Your Worst IT Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses of all sizes unprepared for an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause destruction. Newer strains of ransomware like Ryuk and Hermes, plus daily unnamed newcomers, not only do encryption of online information but also infiltrate all accessible system protection. Files synched to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, it can make automated restoration useless and effectively sets the network back to square one.

Getting back online services and information following a ransomware outage becomes a sprint against the clock as the victim fights to contain the damage and clear the virus and to restore business-critical activity. Due to the fact that ransomware takes time to spread, assaults are often sprung on weekends and holidays, when penetrations in many cases take more time to discover. This multiplies the difficulty of promptly mobilizing and orchestrating a qualified response team.

Progent provides a range of support services for securing enterprises from crypto-ransomware attacks. These include staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI capabilities to rapidly identify and extinguish new cyber attacks. Progent also provides the services of experienced ransomware recovery professionals with the track record and commitment to rebuild a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, sending the ransom in cryptocurrency does not guarantee that distant criminals will respond with the needed keys to decipher any of your information. Kaspersky determined that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to piece back together the key parts of your Information Technology environment. Without access to full data backups, this requires a wide range of skill sets, top notch team management, and the capability to work non-stop until the recovery project is completed.

For two decades, Progent has provided professional IT services for businesses in Minnetonka and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of experience provides Progent the skills to quickly determine critical systems and organize the surviving components of your network environment following a ransomware attack and assemble them into a functioning system.

Progent's recovery team has best of breed project management applications to coordinate the complex recovery process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT staff to prioritize tasks and to get the most important systems back on line as soon as possible.

Customer Case Study: A Successful Ransomware Attack Recovery
A customer sought out Progent after their network was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk targets specific companies with limited tolerance for disruption and is one of the most lucrative examples of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has about 500 workers. The Ryuk event had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been online at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.


"I canít thank you enough in regards to the help Progent gave us during the most critical period of (our) businesses existence. We most likely would have paid the Hackers except for the confidence the Progent group afforded us. The fact that you were able to get our messaging and critical servers back faster than five days was beyond my wildest dreams. Every single consultant I interacted with or messaged at Progent was urgently focused on getting us working again and was working day and night on our behalf."

Progent worked with the customer to quickly identify and assign priority to the mission critical systems that needed to be addressed in order to continue departmental operations:

  • Microsoft Active Directory
  • Email
  • MRP System
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the process of rebuilding Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the businessesí financials and MRP software utilized SQL Server, which requires Active Directory services for authentication to the database.

In less than 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then performed reinstallations and storage recovery on the most important systems. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover email information. A not too old offline backup of the client's accounting systems made it possible to restore these essential services back servicing users. Although a lot of work was left to recover totally from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the production manufacturing operation was never shut down and we did not miss any customer deliverables."

During the following few weeks key milestones in the restoration process were accomplished in close cooperation between Progent engineers and the customer:

  • In-house web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were completely restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the desktops and laptops were back into operation.

"Much of what happened in the early hours is nearly entirely a blur for me, but our team will not soon forget the countless hours each and every one of your team accomplished to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A likely business-ending disaster was avoided with results-oriented professionals, a wide spectrum of knowledge, and tight teamwork. Although in hindsight the crypto-ransomware attack described here would have been identified and blocked with modern security technology solutions and NIST Cybersecurity Framework best practices, team education, and well designed incident response procedures for information backup and proper patching controls, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has proven experience in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thank you for making it so I could get rested after we made it over the first week. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Minnetonka a portfolio of online monitoring and security assessment services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that allows you prove compliance with legal and industry information protection standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent's consultants can also help you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates your backup processes and allows fast restoration of vital files, applications and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's BDR specialists can provide world-class expertise to configure ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to provide web-based control and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, optimize and debug their networking appliances like routers, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always current, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when issues are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores like network mapping, expanding your network, locating devices that need critical updates, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network running at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to a different hosting solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can save as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For Minnetonka 24-Hour Crypto Remediation Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.