Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an existential threat for organizations vulnerable to an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus frequent unnamed newcomers, not only encrypt online files but also infiltrate any accessible system protection. Files replicated to the cloud can also be ransomed. In a poorly architected environment, this can make automatic restore operations hopeless and effectively knocks the datacenter back to square one.

Getting back programs and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop lateral movement and remove the ransomware and to resume enterprise-critical activity. Since ransomware needs time to replicate, assaults are often sprung on weekends, when penetrations typically take more time to identify. This multiplies the difficulty of rapidly marshalling and coordinating a qualified response team.

Progent has a variety of solutions for securing businesses from ransomware penetrations. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and extinguish zero-day threats quickly. Progent in addition offers the services of seasoned ransomware recovery professionals with the skills and perseverance to restore a compromised system as quickly as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decrypt all your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the key elements of your Information Technology environment. Absent the availability of full system backups, this requires a wide complement of skills, well-coordinated project management, and the capability to work 24x7 until the job is done.

For decades, Progent has made available expert IT services for companies in Montgomery and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise provides Progent the ability to efficiently determine important systems and integrate the surviving pieces of your Information Technology environment after a ransomware event and assemble them into a functioning network.

Progent's recovery team utilizes top notch project management systems to orchestrate the complex restoration process. Progent knows the urgency of acting rapidly and in concert with a client's management and IT staff to prioritize tasks and to get critical systems back on line as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Response
A customer sought out Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state cybercriminals, suspected of adopting strategies exposed from the United States NSA organization. Ryuk goes after specific companies with limited ability to sustain disruption and is one of the most lucrative instances of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has about 500 employees. The Ryuk attack had paralyzed all company operations and manufacturing processes. Most of the client's system backups had been online at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (in excess of $200,000) and hoping for the best, but in the end utilized Progent.


"I cannot say enough in regards to the help Progent provided us throughout the most fearful period of (our) company's survival. We would have paid the Hackers except for the confidence the Progent experts provided us. The fact that you could get our e-mail system and critical servers back online faster than one week was amazing. Every single expert I got help from or e-mailed at Progent was absolutely committed on getting our system up and was working at all hours to bail us out."

Progent worked with the customer to quickly determine and prioritize the critical services that needed to be restored in order to resume company operations:

  • Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes event response best practices by halting lateral movement and cleaning systems of viruses. Progent then began the steps of recovering Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not operate without Active Directory, and the customer's MRP applications utilized Microsoft SQL Server, which depends on Active Directory services for authentication to the database.

Within 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of critical servers. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on staff desktop computers to recover email information. A recent offline backup of the businesses financials/MRP systems made it possible to recover these vital programs back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, the most important services were restored rapidly:


"For the most part, the production operation survived unscathed and we did not miss any customer deliverables."

During the following couple of weeks important milestones in the recovery process were accomplished in close cooperation between Progent consultants and the customer:

  • In-house web sites were restored with no loss of information.
  • The MailStore Exchange Server with over 4 million historical emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory functions were completely functional.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the desktop computers were back into operation.

"A huge amount of what happened during the initial response is mostly a fog for me, but my management will not soon forget the countless hours each and every one of the team accomplished to give us our company back. I have been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was a stunning achievement."

Conclusion
A probable enterprise-killing disaster was averted through the efforts of top-tier experts, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the crypto-ransomware virus incident described here should have been identified and stopped with advanced security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for allowing me to get some sleep after we made it over the first week. All of you did an amazing effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Montgomery a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to detect new variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies incorporated within one agent managed from a unified control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you prove compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup operations and enable non-disruptive backup and rapid recovery of important files, apps, images, and VMs. ProSight DPS lets your business avoid data loss caused by hardware failures, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to deliver centralized management and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further layer of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept current, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, locating appliances that require critical updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so any looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based machine learning technology to guard endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-matching AV products. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to address the entire threat progression including blocking, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Support Desk Managed Services
    Progent's Support Center managed services permit your IT staff to outsource Help Desk services to Progent or divide activity for support services seamlessly between your internal support group and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent supplement to your core network support staff. User interaction with the Help Desk, provision of support, issue escalation, trouble ticket creation and updates, performance metrics, and maintenance of the service database are consistent regardless of whether incidents are resolved by your corporate network support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Help Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of any size a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT system. In addition to optimizing the security and reliability of your computer network, Progent's patch management services free up time for your in-house IT team to concentrate on more strategic initiatives and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on iOS, Android, and other out-of-band devices. Using 2FA, when you log into a protected online account and enter your password you are asked to confirm who you are on a unit that only you have and that is accessed using a different network channel. A wide selection of devices can be used for this second means of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple verification devices. To find out more about ProSight Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication services.
For Montgomery 24-7 Crypto-Ransomware Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.