Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses poorly prepared for an assault. Versions of ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. Recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as additional unnamed viruses, not only do encryption of online data but also infiltrate all configured system protection mechanisms. Data synchronized to the cloud can also be rendered useless. In a vulnerable system, this can make automated recovery hopeless and basically knocks the datacenter back to zero.

Getting back online applications and information following a ransomware outage becomes a sprint against the clock as the targeted organization struggles to contain the damage and clear the crypto-ransomware and to resume enterprise-critical activity. Because ransomware takes time to spread, attacks are usually sprung on weekends, when successful penetrations may take more time to recognize. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable mitigation team.

Progent makes available an assortment of solutions for securing organizations from ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security solutions with artificial intelligence capabilities to quickly detect and extinguish new cyber attacks. Progent also offers the services of expert ransomware recovery professionals with the skills and perseverance to reconstruct a compromised system as soon as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the keys to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the key components of your Information Technology environment. Without access to full information backups, this requires a wide range of IT skills, top notch team management, and the ability to work 24x7 until the job is completed.

For decades, Progent has offered professional IT services for companies in Salt Lake City and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of expertise affords Progent the skills to efficiently determine critical systems and organize the remaining pieces of your network system following a ransomware event and rebuild them into an operational network.

Progent's security team has top notch project management systems to orchestrate the sophisticated restoration process. Progent appreciates the urgency of acting swiftly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get key services back on-line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A client hired Progent after their network was penetrated by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state hackers, possibly adopting technology leaked from Americaís NSA organization. Ryuk targets specific businesses with limited tolerance for disruption and is one of the most lucrative iterations of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with about 500 workers. The Ryuk event had disabled all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were damaged. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but ultimately engaged Progent.


"I canít tell you enough about the expertise Progent gave us during the most fearful time of (our) companyís existence. We most likely would have paid the Hackers except for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and essential applications back on-line in less than five days was beyond my wildest dreams. Each person I talked with or messaged at Progent was absolutely committed on getting us back on-line and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly assess and prioritize the mission critical applications that needed to be addressed in order to resume business operations:

  • Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus penetration response best practices by halting the spread and removing active viruses. Progent then began the task of rebuilding Microsoft AD, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the customerís MRP software used SQL Server, which needs Windows AD for authentication to the databases.

Within two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery on critical servers. All Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Offline Folder Files) on various desktop computers and laptops to recover email information. A recent off-line backup of the client's accounting software made them able to restore these essential applications back on-line. Although major work remained to recover completely from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer shipments."

Throughout the following couple of weeks key milestones in the recovery project were achieved in tight cooperation between Progent engineers and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Server containing more than four million archived messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were fully functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the desktop computers were fully operational.

"A lot of what transpired those first few days is nearly entirely a blur for me, but my team will not soon forget the care all of you put in to help get our company back. Iíve been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered. This event was a Herculean accomplishment."

Conclusion
A possible business-killing disaster was avoided due to hard-working experts, a broad range of IT skills, and close teamwork. Although in post mortem the ransomware virus attack described here could have been stopped with modern security solutions and recognized best practices, user education, and appropriate security procedures for backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thank you for letting me get some sleep after we got past the initial push. All of you did an amazing job, and if any of your guys is around the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Salt Lake City a portfolio of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize next-generation AI capability to detect zero-day strains of crypto-ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to address the entire threat lifecycle including protection, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies packaged within a single agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of critical data, apps and virtual machines that have become lost or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can deliver advanced support to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can help you to restore your critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to provide web-based management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and debug their connectivity hardware such as switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating complex management processes, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, finding appliances that require important software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating efficiently by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so that all potential problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can save up to half of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7x365 Salt Lake City Ransomware Repair Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.