Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict harm. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus frequent unnamed viruses, not only do encryption of online information but also infiltrate all available system protection. Information replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable environment, this can render automated restore operations impossible and effectively knocks the network back to square one.

Recovering programs and information after a ransomware event becomes a sprint against time as the victim tries its best to stop the spread and eradicate the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware takes time to spread, penetrations are often sprung at night, when attacks tend to take longer to notice. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable response team.

Progent offers a range of support services for protecting enterprises from ransomware events. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with AI technology from SentinelOne to detect and extinguish new cyber threats automatically. Progent in addition offers the assistance of veteran ransomware recovery professionals with the talent and commitment to reconstruct a compromised network as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the keys to unencrypt all your files. Kaspersky determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the essential parts of your IT environment. Absent access to essential data backups, this calls for a broad range of skills, well-coordinated team management, and the ability to work non-stop until the recovery project is complete.

For two decades, Progent has offered certified expert Information Technology services for businesses in Houston and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently ascertain necessary systems and re-organize the remaining parts of your computer network environment after a crypto-ransomware penetration and assemble them into an operational system.

Progent's ransomware team deploys best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the importance of acting quickly and in unison with a customer�s management and Information Technology team members to prioritize tasks and to put the most important services back on-line as soon as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A small business engaged Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, possibly adopting approaches leaked from America�s National Security Agency. Ryuk goes after specific companies with little tolerance for disruption and is one of the most profitable versions of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area with around 500 workers. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the intrusion and were damaged. The client considered paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end called Progent.


"I cannot tell you enough about the help Progent gave us during the most fearful time of (our) company�s survival. We would have paid the cyber criminals behind the attack if not for the confidence the Progent experts provided us. That you were able to get our e-mail and production servers back online faster than a week was earth shattering. Every single person I interacted with or messaged at Progent was absolutely committed on getting us back on-line and was working 24 by 7 on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the essential applications that needed to be addressed to make it possible to resume business operations:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent adhered to ransomware penetration response industry best practices by halting lateral movement and removing active viruses. Progent then started the work of rebuilding Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the businesses� MRP applications used Microsoft SQL, which requires Active Directory for security authorization to the database.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery of mission critical servers. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on staff PCs in order to recover mail information. A recent off-line backup of the businesses manufacturing systems made it possible to restore these required services back online. Although a lot of work needed to be completed to recover fully from the Ryuk event, critical services were recovered rapidly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."

Throughout the following few weeks important milestones in the restoration project were accomplished through tight collaboration between Progent team members and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Exchange Server with over four million archived messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory Control functions were fully restored.
  • A new Palo Alto 850 security appliance was installed.
  • Nearly all of the user desktops and notebooks were being used by staff.

"So much of what happened in the early hours is mostly a haze for me, but our team will not soon forget the dedication each and every one of the team put in to give us our business back. I have trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business extinction catastrophe was avoided with dedicated professionals, a wide spectrum of technical expertise, and close collaboration. Although in retrospect the ransomware penetration detailed here would have been shut down with up-to-date cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for backup and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I�m grateful for letting me get rested after we made it over the first week. All of you did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Houston a variety of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services utilize modern machine learning capability to detect new strains of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the complete threat progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your company's unique needs and that allows you prove compliance with legal and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and enable transparent backup and fast recovery of vital files/folders, applications, images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from equipment failures, natural disasters, fire, malware like ransomware, human error, malicious insiders, or application glitches. Managed services available in the ProSight DPS product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security companies to provide centralized management and world-class security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of analysis for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, track, optimize and debug their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming management processes, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that need important software patches, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so all looming issues can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can eliminate as much as half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior machine learning tools to defend endpoint devices and servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to automate the entire threat progression including blocking, identification, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Support Desk Managed Services
    Progent's Support Center managed services allow your information technology team to offload Help Desk services to Progent or divide activity for Help Desk services seamlessly between your internal network support team and Progent's nationwide pool of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless extension of your corporate IT support resources. End user interaction with the Help Desk, delivery of technical assistance, issue escalation, ticket generation and updates, performance measurement, and management of the support database are consistent whether issues are resolved by your core IT support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking updates to your ever-evolving information network. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services allow your IT staff to focus on line-of-business initiatives and activities that derive maximum business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured application and enter your password you are requested to verify your identity via a unit that only you have and that uses a different ("out-of-band") network channel. A wide range of devices can be used for this second form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register multiple verification devices. To learn more about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication services.
For Houston 24-7 Crypto-Ransomware Cleanup Services, reach out to Progent at 800-462-8800 or go to Contact Progent.