Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as additional as yet unnamed viruses, not only encrypt on-line information but also infiltrate all available system protection mechanisms. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can make any recovery useless and basically sets the entire system back to square one.

Getting back services and information following a ransomware intrusion becomes a race against time as the targeted organization struggles to contain and cleanup the crypto-ransomware and to restore mission-critical operations. Since ransomware needs time to move laterally, assaults are frequently launched during nights and weekends, when successful attacks tend to take more time to uncover. This multiplies the difficulty of promptly mobilizing and coordinating a qualified mitigation team.

Progent offers an assortment of services for protecting organizations from ransomware events. These include team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with artificial intelligence capabilities to rapidly detect and disable day-zero threats. Progent also provides the services of veteran ransomware recovery professionals with the track record and perseverance to re-deploy a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decipher any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the key parts of your Information Technology environment. Absent access to complete data backups, this calls for a broad complement of IT skills, professional team management, and the willingness to work 24x7 until the task is done.

For decades, Progent has made available professional IT services for businesses in Phoenix and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience provides Progent the ability to efficiently understand important systems and organize the surviving parts of your computer network system following a crypto-ransomware event and configure them into a functioning system.

Progent's security team utilizes powerful project management applications to coordinate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to get the most important services back on line as fast as possible.

Customer Story: A Successful Ransomware Intrusion Response
A customer hired Progent after their network system was brought down by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state cybercriminals, suspected of using technology exposed from the United States National Security Agency. Ryuk seeks specific organizations with limited tolerance for disruption and is one of the most profitable incarnations of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with about 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately brought in Progent.


"I cannot say enough in regards to the expertise Progent gave us during the most fearful period of (our) companyís existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent team provided us. The fact that you could get our e-mail system and production servers back sooner than seven days was beyond my wildest dreams. Each person I got help from or messaged at Progent was urgently focused on getting us working again and was working breakneck pace on our behalf."

Progent worked together with the client to quickly identify and assign priority to the critical services that had to be restored in order to resume business functions:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to Anti-virus penetration response industry best practices by halting the spread and disinfecting systems. Progent then initiated the steps of restoring Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the client's MRP system utilized Microsoft SQL, which requires Active Directory for security authorization to the database.

In less than 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery on needed systems. All Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Offline Folder Files) on staff PCs in order to recover mail data. A not too old off-line backup of the customerís accounting systems made them able to recover these vital services back servicing users. Although a lot of work still had to be done to recover totally from the Ryuk attack, the most important systems were recovered quickly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer shipments."

During the following couple of weeks important milestones in the restoration project were accomplished through tight collaboration between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100% restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user desktops were operational.

"A huge amount of what went on those first few days is nearly entirely a blur for me, but our team will not forget the care each of you put in to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."

Conclusion
A likely business extinction disaster was avoided through the efforts of dedicated experts, a broad range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here should have been identified and prevented with modern cyber security systems and security best practices, user and IT administrator training, and properly executed incident response procedures for backup and proper patching controls, the fact is that government-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), thank you for letting me get some sleep after we made it through the most critical parts. Everyone did an amazing job, and if anyone is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Phoenix a variety of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day strains of crypto-ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including blocking, identification, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your company's specific needs and that helps you prove compliance with legal and industry data security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also help you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates your backup processes and enables fast restoration of critical data, applications and virtual machines that have become lost or damaged as a result of component breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver advanced expertise to configure ProSight DPS to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to recover your critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to provide centralized management and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of inspection for inbound email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, monitor, enhance and troubleshoot their networking appliances like switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when problems are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network operating efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management personnel and your Progent consultant so that all looming problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can save up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 Phoenix Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.