Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of crypto-ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and still cause destruction. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line data but also infect most accessible system backups. Data replicated to cloud environments can also be corrupted. In a poorly architected system, this can make any recovery impossible and effectively sets the datacenter back to square one.

Recovering programs and information after a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and cleanup the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are often launched on weekends, when attacks may take more time to notice. This multiplies the difficulty of promptly mobilizing and organizing a qualified response team.

Progent has a variety of help services for securing organizations from ransomware attacks. These include team education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with AI technology to intelligently identify and disable day-zero cyber threats. Progent in addition provides the services of veteran ransomware recovery consultants with the skills and commitment to re-deploy a compromised network as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the codes to decrypt any or all of your information. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the key elements of your Information Technology environment. Without access to essential system backups, this requires a broad complement of IT skills, top notch project management, and the capability to work 24x7 until the recovery project is over.

For twenty years, Progent has offered certified expert Information Technology services for companies in Minnetonka and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise affords Progent the ability to rapidly determine critical systems and consolidate the surviving pieces of your Information Technology system after a crypto-ransomware penetration and rebuild them into an operational network.

Progent's recovery group deploys state-of-the-art project management systems to coordinate the complex recovery process. Progent understands the urgency of acting quickly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to get key systems back online as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business escalated to Progent after their company was taken over by the Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state sponsored criminal gangs, possibly adopting approaches exposed from Americaís NSA organization. Ryuk attacks specific businesses with little ability to sustain disruption and is among the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk event had brought down all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.


"I canít thank you enough about the support Progent provided us during the most fearful period of (our) companyís existence. We would have paid the criminal gangs if it wasnít for the confidence the Progent group afforded us. That you could get our messaging and key servers back online sooner than a week was amazing. Every single consultant I worked with or communicated with at Progent was absolutely committed on getting us restored and was working non-stop on our behalf."

Progent worked together with the client to rapidly identify and assign priority to the mission critical areas that had to be recovered in order to continue departmental functions:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes penetration response industry best practices by halting the spread and disinfecting systems. Progent then started the steps of restoring Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí financials and MRP software used Microsoft SQL, which requires Active Directory for authentication to the information.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery of essential systems. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Offline Data Files) on team desktop computers to recover mail data. A not too old offline backup of the customerís financials/MRP systems made it possible to recover these essential services back online. Although major work still had to be done to recover completely from the Ryuk event, critical systems were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer sales."

During the following couple of weeks key milestones in the recovery project were accomplished in tight collaboration between Progent engineers and the client:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought online and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control capabilities were fully functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the desktop computers were being used by staff.

"Much of what went on in the initial days is mostly a blur for me, but I will not soon forget the urgency all of your team accomplished to help get our business back. Iíve been working together with Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable business extinction disaster was evaded due to hard-working experts, a broad range of knowledge, and tight teamwork. Although in hindsight the ransomware virus penetration described here would have been identified and disabled with modern cyber security technology and NIST Cybersecurity Framework best practices, team training, and appropriate security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get rested after we got past the most critical parts. All of you did an amazing effort, and if any of your team is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Minnetonka a range of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize modern machine learning capability to detect zero-day strains of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to address the entire threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools packaged within a single agent managed from a unified console. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP environment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also help your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup processes and enables rapid recovery of vital files, applications and VMs that have become unavailable or damaged as a result of hardware failures, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to deliver centralized management and comprehensive security for all your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of inspection for incoming email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, track, reconfigure and debug their networking appliances like routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming management processes, WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, locating devices that need critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so that all potential issues can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For Minnetonka 24-7 Crypto-Ransomware Recovery Experts, contact Progent at 800-993-9400 or go to Contact Progent.