Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that presents an existential threat for organizations unprepared for an attack. Versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional as yet unnamed newcomers, not only do encryption of online files but also infect most available system restores and backups. Files synched to cloud environments can also be ransomed. In a poorly architected data protection solution, it can render any restoration useless and effectively knocks the datacenter back to square one.

Restoring applications and information after a ransomware attack becomes a sprint against the clock as the victim tries its best to stop lateral movement and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to move laterally, attacks are usually sprung during nights and weekends, when successful attacks typically take more time to notice. This compounds the difficulty of quickly marshalling and organizing a qualified response team.

Progent offers a range of services for securing enterprises from crypto-ransomware events. Among these are team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with AI technology to automatically detect and suppress day-zero cyber threats. Progent also offers the services of seasoned ransomware recovery professionals with the talent and commitment to rebuild a breached system as urgently as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the mission-critical elements of your Information Technology environment. Without access to complete data backups, this requires a broad complement of skill sets, top notch team management, and the capability to work non-stop until the job is done.

For twenty years, Progent has made available expert IT services for companies in Salt Lake City and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience gives Progent the ability to knowledgably determine important systems and integrate the surviving parts of your IT system after a ransomware event and configure them into a functioning network.

Progent's recovery group utilizes powerful project management systems to coordinate the complicated recovery process. Progent knows the importance of working rapidly and together with a customerís management and Information Technology team members to prioritize tasks and to put essential applications back on-line as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Penetration Response
A client sought out Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, suspected of using strategies leaked from the U.S. NSA organization. Ryuk goes after specific companies with limited ability to sustain disruption and is one of the most profitable instances of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with about 500 workers. The Ryuk penetration had shut down all company operations and manufacturing processes. The majority of the client's information backups had been online at the time of the intrusion and were encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but in the end made the decision to use Progent.


"I cannot tell you enough about the care Progent provided us during the most critical period of (our) companyís life. We would have paid the criminal gangs except for the confidence the Progent group provided us. The fact that you could get our e-mail system and essential servers back online faster than five days was amazing. Each expert I worked with or messaged at Progent was absolutely committed on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked with the customer to rapidly get our arms around and assign priority to the most important applications that needed to be restored in order to continue departmental functions:

  • Active Directory
  • Email
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware incident mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the task of bringing back online Windows Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the businessesí financials and MRP software leveraged SQL Server, which needs Active Directory services for authentication to the data.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery on essential systems. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers to recover mail data. A not too old offline backup of the businesses accounting/MRP software made it possible to return these required programs back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk virus, the most important systems were returned to operations quickly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer sales."

Over the next couple of weeks important milestones in the restoration project were completed in close collaboration between Progent team members and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user PCs were being used by staff.

"A lot of what transpired during the initial response is mostly a haze for me, but my team will not forget the care each of you accomplished to give us our business back. Iíve been working together with Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This time was a Herculean accomplishment."

Conclusion
A likely enterprise-killing catastrophe was evaded with dedicated experts, a broad spectrum of technical expertise, and close teamwork. Although in retrospect the ransomware virus attack described here would have been stopped with advanced security technology solutions and recognized best practices, team training, and appropriate security procedures for information protection and proper patching controls, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thank you for letting me get some sleep after we got over the initial fire. Everyone did an incredible effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Salt Lake City a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence technology to uncover new variants of crypto-ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including protection, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also assist you to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology providers to create ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and allow transparent backup and fast restoration of critical files/folders, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss caused by hardware failures, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or software bugs. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to provide centralized control and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of analysis for incoming email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, optimize and debug their connectivity hardware like switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating complex management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, locating appliances that need important updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management staff and your Progent consultant so all potential problems can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior-based analysis technology to guard endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including protection, detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Support Center managed services enable your information technology team to outsource Help Desk services to Progent or split activity for Service Desk support seamlessly between your in-house network support staff and Progent's extensive roster of IT service technicians, engineers and subject matter experts (SBEs). Progent's Shared Help Desk Service offers a seamless supplement to your corporate IT support organization. Client interaction with the Service Desk, provision of support services, escalation, trouble ticket creation and tracking, performance measurement, and management of the service database are cohesive whether incidents are taken care of by your in-house support organization, by Progent, or both. Find out more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking updates to your ever-evolving information network. In addition to maximizing the security and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to concentrate on line-of-business projects and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Android, and other personal devices. With 2FA, when you sign into a secured application and enter your password you are requested to confirm your identity on a device that only you have and that uses a separate network channel. A wide range of devices can be utilized for this added means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. For more information about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services.
For 24-Hour Salt Lake City Crypto Remediation Consultants, contact Progent at 800-462-8800 or go to Contact Progent.