Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses of all sizes unprepared for an attack. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as additional as yet unnamed viruses, not only encrypt online data but also infiltrate most configured system backup. Files replicated to cloud environments can also be ransomed. In a vulnerable system, it can render any restore operations impossible and effectively sets the datacenter back to zero.

Getting back on-line services and information following a ransomware attack becomes a race against time as the victim struggles to contain the damage and remove the crypto-ransomware and to restore mission-critical activity. Because ransomware needs time to move laterally, attacks are usually sprung on weekends and holidays, when successful penetrations typically take more time to notice. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent has an assortment of support services for securing enterprises from ransomware events. These include user training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with AI capabilities to automatically discover and quarantine new cyber threats. Progent in addition can provide the assistance of experienced ransomware recovery consultants with the track record and commitment to reconstruct a compromised environment as soon as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the keys to unencrypt any of your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the critical components of your IT environment. Without access to essential information backups, this requires a wide range of skills, top notch team management, and the willingness to work non-stop until the job is over.

For decades, Progent has offered certified expert Information Technology services for businesses in St. Paul and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience affords Progent the ability to quickly determine critical systems and re-organize the remaining components of your computer network environment after a ransomware penetration and configure them into an operational network.

Progent's ransomware team of experts uses best of breed project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of working swiftly and together with a customerís management and IT resources to assign priority to tasks and to put critical applications back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Attack Recovery
A client engaged Progent after their organization was crashed by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored hackers, possibly using algorithms leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with little room for operational disruption and is among the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client considered paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.


"I canít thank you enough in regards to the expertise Progent gave us during the most stressful period of (our) businesses life. We most likely would have paid the cybercriminals except for the confidence the Progent group provided us. That you could get our e-mail and key servers back online faster than a week was earth shattering. Each consultant I worked with or texted at Progent was totally committed on getting us back on-line and was working breakneck pace on our behalf."

Progent worked together with the client to rapidly identify and assign priority to the essential applications that needed to be restored to make it possible to restart company operations:

  • Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent followed Anti-virus event response industry best practices by halting the spread and clearing up compromised systems. Progent then started the steps of restoring Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the businessesí accounting and MRP system leveraged Microsoft SQL, which needs Active Directory for access to the information.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery on mission critical systems. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Off-Line Data Files) on staff workstations in order to recover email data. A recent offline backup of the customerís accounting/ERP systems made it possible to return these essential services back available to users. Although major work remained to recover fully from the Ryuk virus, core services were recovered rapidly:


"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer orders."

During the next couple of weeks key milestones in the recovery project were achieved in tight collaboration between Progent team members and the customer:

  • In-house web applications were restored without losing any information.
  • The MailStore Exchange Server with over four million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were completely restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the desktop computers were back into operation.

"Much of what happened during the initial response is nearly entirely a haze for me, but my team will not soon forget the countless hours each and every one of you accomplished to help get our business back. Iíve trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A potential business disaster was avoided through the efforts of top-tier experts, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware virus penetration detailed here would have been identified and prevented with modern cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for making it so I could get rested after we got through the initial fire. All of you did an impressive job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in St. Paul a range of remote monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services incorporate modern AI technology to uncover zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge tools incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of vital files, apps and VMs that have become lost or damaged as a result of component breakdowns, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security companies to provide centralized control and world-class security for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, monitor, reconfigure and debug their networking appliances like switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always current, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that need important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your network running at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your assigned Progent consultant so any potential problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For St. Paul 24x7x365 Ransomware Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.