Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that poses an existential danger for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus frequent as yet unnamed malware, not only do encryption of on-line information but also infiltrate many available system restores and backups. Information replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected system, it can render any recovery hopeless and basically sets the entire system back to zero.

Recovering programs and information following a ransomware event becomes a sprint against time as the victim struggles to contain and clear the crypto-ransomware and to resume enterprise-critical operations. Because ransomware requires time to move laterally, assaults are often launched at night, when attacks typically take more time to detect. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable mitigation team.

Progent offers a variety of help services for securing businesses from ransomware attacks. These include staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security solutions with artificial intelligence technology to quickly detect and suppress day-zero threats. Progent also provides the services of expert ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that distant criminals will provide the codes to decipher all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the essential components of your Information Technology environment. Without access to complete system backups, this requires a broad range of skill sets, top notch team management, and the ability to work 24x7 until the job is over.

For two decades, Progent has offered expert IT services for businesses in Colorado Springs and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise affords Progent the ability to efficiently identify critical systems and consolidate the surviving pieces of your network environment following a crypto-ransomware event and configure them into an operational network.

Progent's ransomware team deploys powerful project management systems to orchestrate the complicated recovery process. Progent knows the urgency of working rapidly and in unison with a client's management and IT staff to assign priority to tasks and to get essential systems back on-line as soon as possible.

Client Story: A Successful Ransomware Intrusion Restoration
A customer escalated to Progent after their network was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is one of the most lucrative examples of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has around 500 workers. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and praying for the best, but ultimately engaged Progent.


"I cannot thank you enough about the expertise Progent gave us during the most critical period of (our) companyís life. We would have paid the criminal gangs if not for the confidence the Progent group gave us. That you were able to get our e-mail and important servers back online sooner than seven days was beyond my wildest dreams. Each person I worked with or communicated with at Progent was amazingly focused on getting us operational and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to quickly identify and prioritize the key services that had to be recovered to make it possible to restart departmental functions:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To get going, Progent followed ransomware incident mitigation best practices by stopping the spread and cleaning up infected systems. Progent then began the work of bringing back online Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without AD, and the customerís accounting and MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the database.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then performed reinstallations and hard drive recovery of mission critical servers. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Data Files) on team desktop computers to recover email information. A not too old off-line backup of the customerís accounting/MRP software made them able to recover these essential services back available to users. Although major work remained to recover completely from the Ryuk attack, critical services were returned to operations rapidly:


"For the most part, the manufacturing operation showed little impact and we did not miss any customer orders."

Over the next month important milestones in the restoration project were completed through close cooperation between Progent team members and the client:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control modules were 100% functional.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"So much of what occurred during the initial response is mostly a haze for me, but I will not soon forget the urgency each of you put in to give us our company back. Iíve entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A probable company-ending disaster was averted due to results-oriented experts, a wide range of subject matter expertise, and tight teamwork. Although in retrospect the ransomware incident detailed here would have been shut down with advanced cyber security technology solutions and security best practices, user education, and well thought out incident response procedures for backup and applying software patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we got past the most critical parts. All of you did an fabulous effort, and if anyone is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Colorado Springs a range of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services include next-generation machine learning capability to detect zero-day strains of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to manage the complete malware attack progression including protection, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup technology companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup processes and allow transparent backup and fast recovery of vital files, apps, system images, and virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver web-based control and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating appliances that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management staff and your assigned Progent consultant so all potential issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can save up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes next generation behavior analysis technology to guard endpoints and servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including blocking, infiltration detection, mitigation, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Support Center managed services enable your IT staff to outsource Support Desk services to Progent or split activity for Service Desk support seamlessly between your in-house network support staff and Progent's nationwide pool of certified IT support engineers and subject matter experts (SBEs). Progent's Co-managed Help Desk Service offers a smooth extension of your in-house support team. Client interaction with the Help Desk, delivery of support services, problem escalation, ticket generation and updates, efficiency metrics, and maintenance of the service database are consistent whether incidents are taken care of by your core network support staff, by Progent's team, or both. Learn more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking updates to your ever-evolving information system. Besides maximizing the security and functionality of your computer environment, Progent's patch management services free up time for your in-house IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Android, and other personal devices. With 2FA, when you sign into a protected online account and enter your password you are requested to verify your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized for this second means of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You can designate multiple verification devices. For more information about ProSight Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Colorado Springs 24-7 Crypto-Ransomware Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.