Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses of all sizes vulnerable to an assault. Different versions of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause havoc. Recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus more unnamed viruses, not only encrypt online information but also infiltrate any accessible system protection. Files synched to cloud environments can also be rendered useless. In a poorly designed environment, this can render automatic restore operations hopeless and effectively knocks the entire system back to square one.

Getting back on-line applications and information following a ransomware attack becomes a sprint against time as the targeted organization fights to stop lateral movement and cleanup the crypto-ransomware and to resume enterprise-critical activity. Since crypto-ransomware needs time to replicate, penetrations are usually launched during nights and weekends, when penetrations in many cases take more time to detect. This compounds the difficulty of promptly mobilizing and coordinating an experienced response team.

Progent provides a range of support services for protecting enterprises from crypto-ransomware penetrations. Among these are staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with machine learning technology to automatically identify and disable day-zero cyber attacks. Progent in addition can provide the services of seasoned crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the codes to unencrypt any of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the vital parts of your IT environment. Absent access to full system backups, this calls for a broad range of skill sets, top notch team management, and the willingness to work continuously until the recovery project is finished.

For two decades, Progent has made available professional Information Technology services for companies in Seattle and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise gives Progent the skills to rapidly understand critical systems and integrate the surviving parts of your network system following a ransomware event and assemble them into a functioning system.

Progent's recovery team uses top notch project management systems to orchestrate the complex recovery process. Progent understands the importance of working rapidly and in unison with a customerís management and Information Technology team members to prioritize tasks and to put key applications back on line as soon as possible.

Customer Story: A Successful Ransomware Penetration Restoration
A customer contacted Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state cybercriminals, possibly using techniques leaked from Americaís NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago with about 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end reached out to Progent.


"I cannot thank you enough in regards to the support Progent provided us during the most fearful period of (our) businesses life. We may have had to pay the Hackers if not for the confidence the Progent experts gave us. That you were able to get our messaging and production servers back in less than five days was something I thought impossible. Each staff member I got help from or texted at Progent was amazingly focused on getting us restored and was working 24 by 7 on our behalf."

Progent worked with the client to rapidly identify and prioritize the critical systems that had to be recovered in order to resume company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes incident response best practices by stopping the spread and clearing infected systems. Progent then began the steps of recovering Windows Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange messaging will not work without AD, and the businessesí accounting and MRP software leveraged Microsoft SQL, which needs Active Directory for security authorization to the data.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then performed setup and storage recovery on the most important applications. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Offline Data Files) on team PCs to recover mail information. A recent offline backup of the customerís financials/ERP software made them able to restore these vital services back available to users. Although a large amount of work was left to recover totally from the Ryuk virus, critical systems were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer sales."

During the following couple of weeks important milestones in the recovery project were made through close collaboration between Progent consultants and the customer:

  • Internal web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the desktops and laptops were back into operation.

"A lot of what went on in the early hours is mostly a haze for me, but I will not soon forget the commitment each of the team accomplished to give us our company back. Iíve been working together with Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This time was no exception but maybe more Herculean."

Conclusion
A probable business extinction catastrophe was dodged through the efforts of results-oriented professionals, a broad range of knowledge, and tight teamwork. Although in hindsight the crypto-ransomware incident described here would have been prevented with modern cyber security technology and security best practices, staff training, and well designed incident response procedures for information protection and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for allowing me to get rested after we made it past the most critical parts. All of you did an fabulous job, and if any of your guys is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Seattle a variety of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to uncover new variants of crypto-ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior machine learning technology to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to address the entire malware attack progression including blocking, identification, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering via cutting-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and enable transparent backup and rapid restoration of vital files, applications, images, plus VMs. ProSight DPS helps your business avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, user error, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to deliver centralized control and world-class security for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps most threats from reaching your network firewall. This decreases your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper level of inspection for inbound email. For outgoing email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, track, enhance and debug their connectivity appliances like switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating complex management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding appliances that require critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT staff and your assigned Progent engineering consultant so that any looming problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning technology to guard endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to manage the entire malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Call Center managed services enable your IT staff to offload Support Desk services to Progent or divide activity for support services seamlessly between your internal network support staff and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your corporate network support staff. Client interaction with the Service Desk, delivery of support, escalation, trouble ticket generation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether incidents are taken care of by your corporate IT support staff, by Progent, or by a combination. Find out more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide organizations of any size a flexible and cost-effective solution for assessing, testing, scheduling, applying, and documenting updates to your dynamic information system. In addition to optimizing the protection and functionality of your computer network, Progent's software/firmware update management services allow your IT team to focus on line-of-business projects and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables single-tap identity confirmation with iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and enter your password you are requested to verify who you are via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be used for this second form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate multiple validation devices. To learn more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services for access security.
For Seattle 24/7/365 Ransomware Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.