Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses vulnerable to an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still cause destruction. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus more as yet unnamed viruses, not only encrypt on-line data files but also infect any configured system restores and backups. Data synched to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, it can make automatic restoration hopeless and basically knocks the network back to zero.

Getting back on-line applications and information after a ransomware attack becomes a race against time as the targeted organization fights to contain the damage and eradicate the ransomware and to restore business-critical activity. Because ransomware needs time to replicate, attacks are usually launched on weekends, when successful attacks may take more time to notice. This multiplies the difficulty of promptly assembling and organizing a knowledgeable response team.

Progent provides a variety of help services for securing enterprises from ransomware events. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security gateways with machine learning technology to automatically identify and suppress zero-day threats. Progent in addition can provide the services of experienced ransomware recovery consultants with the track record and perseverance to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
Following a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will provide the needed codes to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the essential parts of your Information Technology environment. Without access to full system backups, this calls for a broad complement of skills, professional team management, and the willingness to work 24x7 until the job is completed.

For twenty years, Progent has offered expert Information Technology services for companies in Seattle and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably determine necessary systems and re-organize the remaining parts of your computer network environment after a ransomware attack and rebuild them into an operational system.

Progent's ransomware team of experts utilizes state-of-the-art project management tools to coordinate the sophisticated recovery process. Progent knows the importance of working rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to get critical services back on-line as soon as humanly possible.

Client Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, possibly using techniques exposed from the United States National Security Agency. Ryuk attacks specific companies with little room for operational disruption and is one of the most profitable iterations of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk attack had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot say enough in regards to the support Progent gave us during the most critical time of (our) businesses existence. We most likely would have paid the cyber criminals except for the confidence the Progent team afforded us. That you could get our e-mail system and key servers back on-line in less than five days was something I thought impossible. Every single person I spoke to or communicated with at Progent was totally committed on getting us back online and was working breakneck pace on our behalf."

Progent worked hand in hand the client to rapidly assess and assign priority to the most important applications that needed to be addressed in order to restart company functions:

  • Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent followed ransomware event mitigation best practices by halting lateral movement and removing active viruses. Progent then started the task of rebuilding Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the businessesí MRP applications utilized Microsoft SQL Server, which requires Active Directory for access to the databases.

Within two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then charged ahead with setup and storage recovery on mission critical applications. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Data Files) on staff workstations and laptops in order to recover email messages. A recent offline backup of the businesses financials/ERP software made them able to return these vital programs back online for users. Although a lot of work was left to recover fully from the Ryuk event, essential systems were restored quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer orders."

During the following few weeks critical milestones in the restoration project were achieved through tight cooperation between Progent consultants and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Server exceeding 4 million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were completely functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the user desktops and notebooks were being used by staff.

"A lot of what went on those first few days is nearly entirely a fog for me, but my management will not forget the care each of you put in to help get our business back. Iíve been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A probable business-ending disaster was dodged through the efforts of dedicated experts, a broad range of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here should have been identified and prevented with current security technology solutions and ISO/IEC 27001 best practices, staff education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for making it so I could get rested after we got past the first week. All of you did an amazing job, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Seattle a range of online monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize modern artificial intelligence capability to uncover new variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to manage the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent can also help you to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost end-to-end service for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of vital data, apps and virtual machines that have become unavailable or damaged due to hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to deliver web-based control and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and debug their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept updated, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, finding appliances that require important software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to help keep your network running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT personnel and your Progent engineering consultant so that any looming problems can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Seattle 24x7 Ransomware Repair Support Services, call Progent at 800-993-9400 or go to Contact Progent.