Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still cause damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with daily as yet unnamed newcomers, not only do encryption of online critical data but also infiltrate most configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can render automatic restoration hopeless and effectively knocks the entire system back to zero.

Getting back on-line programs and data after a crypto-ransomware outage becomes a race against time as the victim struggles to contain the damage and remove the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are often sprung during weekends and nights, when attacks tend to take longer to detect. This multiplies the difficulty of quickly assembling and organizing a knowledgeable mitigation team.

Progent provides an assortment of solutions for securing businesses from crypto-ransomware attacks. These include team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security solutions with AI technology to rapidly identify and disable day-zero cyber threats. Progent also can provide the assistance of experienced crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a breached system as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the keys to unencrypt all your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the essential parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a broad complement of skill sets, well-coordinated team management, and the ability to work continuously until the job is finished.

For decades, Progent has offered professional Information Technology services for businesses in St. Paul and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the skills to quickly determine necessary systems and consolidate the remaining parts of your IT environment following a ransomware event and rebuild them into a functioning network.

Progent's security group uses powerful project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to get the most important services back online as soon as possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A client contacted Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, suspected of adopting algorithms leaked from Americaís NSA organization. Ryuk seeks specific businesses with little ability to sustain disruption and is one of the most lucrative instances of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with around 500 employees. The Ryuk event had frozen all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the attack and were eventually encrypted. The client considered paying the ransom (in excess of $200K) and praying for good luck, but ultimately called Progent.


"I cannot speak enough in regards to the help Progent provided us throughout the most critical period of (our) companyís survival. We most likely would have paid the criminal gangs if it wasnít for the confidence the Progent group gave us. The fact that you could get our e-mail system and essential applications back online sooner than a week was incredible. Every single person I talked with or e-mailed at Progent was hell bent on getting us back online and was working 24/7 on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the essential elements that had to be restored to make it possible to continue business operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting/MRP
To get going, Progent adhered to ransomware incident response industry best practices by halting lateral movement and removing active viruses. Progent then began the process of restoring Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not operate without Windows AD, and the businessesí accounting and MRP software utilized SQL Server, which requires Windows AD for access to the information.

In less than two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then accomplished rebuilding and storage recovery on key applications. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Email Offline Folder Files) on staff PCs and laptops to recover mail data. A recent off-line backup of the customerís accounting/ERP systems made it possible to return these vital programs back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, the most important services were returned to operations rapidly:


"For the most part, the production operation ran fairly normal throughout and we made all customer orders."

During the following month important milestones in the recovery process were made through tight collaboration between Progent team members and the client:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Server with over four million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Ninety percent of the user PCs were functioning as before the incident.

"A huge amount of what transpired in the early hours is nearly entirely a haze for me, but we will not soon forget the commitment all of you put in to give us our business back. I have been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was a life saver."

Conclusion
A possible business-ending disaster was dodged with hard-working experts, a broad array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware attack detailed here could have been blocked with current security solutions and best practices, user and IT administrator training, and properly executed incident response procedures for data backup and applying software patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thanks very much for letting me get some sleep after we got past the initial push. Everyone did an impressive effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in St. Paul a portfolio of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect new strains of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the entire malware attack lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you demonstrate compliance with legal and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also help you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to produce ProSight Data Protection Services (DPS), a selection of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and enable non-disruptive backup and fast restoration of important files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services in the ProSight DPS portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide web-based management and world-class security for all your email traffic. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, track, reconfigure and troubleshoot their networking hardware like switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that need important software patches, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your network operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent consultant so any potential issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis technology to guard endpoints and servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to manage the complete threat progression including filtering, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Call Center services allow your information technology group to outsource Support Desk services to Progent or split activity for Help Desk services seamlessly between your internal network support staff and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a seamless extension of your internal support team. User access to the Help Desk, provision of technical assistance, escalation, trouble ticket generation and updates, performance metrics, and management of the support database are consistent whether issues are taken care of by your core support staff, by Progent, or both. Read more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a versatile and cost-effective solution for assessing, testing, scheduling, implementing, and tracking updates to your dynamic information network. Besides maximizing the security and reliability of your IT environment, Progent's software/firmware update management services free up time for your in-house IT team to focus on line-of-business initiatives and tasks that deliver the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Google Android, and other personal devices. With 2FA, when you sign into a secured application and enter your password you are requested to verify who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized as this added form of authentication such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. For more information about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.
For 24-7 St. Paul Ransomware Repair Consulting, contact Progent at 800-462-8800 or go to Contact Progent.