Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to inflict harm. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with daily as yet unnamed viruses, not only encrypt on-line data but also infect any accessible system backups. Data replicated to cloud environments can also be encrypted. In a vulnerable environment, this can make automated recovery impossible and effectively sets the entire system back to square one.

Restoring services and data after a crypto-ransomware attack becomes a race against the clock as the targeted business struggles to contain the damage and clear the crypto-ransomware and to resume mission-critical operations. Because ransomware requires time to spread, assaults are often sprung during nights and weekends, when successful penetrations are likely to take more time to discover. This compounds the difficulty of promptly marshalling and organizing a qualified mitigation team.

Progent makes available a variety of support services for securing enterprises from crypto-ransomware events. These include team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to identify and suppress zero-day cyber threats automatically. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the talent and commitment to rebuild a compromised environment as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not ensure that cyber criminals will return the codes to decipher any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the essential components of your IT environment. Absent access to complete information backups, this requires a wide range of IT skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is done.

For twenty years, Progent has provided expert Information Technology services for businesses in Dayton and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience provides Progent the ability to quickly determine necessary systems and consolidate the remaining pieces of your Information Technology system following a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's security team deploys top notch project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of working quickly and together with a client's management and IT staff to assign priority to tasks and to put the most important systems back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Penetration Recovery
A client engaged Progent after their network was attacked by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, suspected of adopting techniques exposed from America�s National Security Agency. Ryuk targets specific organizations with limited ability to sustain operational disruption and is among the most lucrative iterations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot tell you enough in regards to the help Progent gave us during the most critical period of (our) businesses survival. We would have paid the cyber criminals behind the attack if it wasn�t for the confidence the Progent group gave us. That you were able to get our e-mail and critical servers back faster than a week was amazing. Every single expert I spoke to or communicated with at Progent was laser focused on getting us restored and was working non-stop on our behalf."

Progent worked with the client to rapidly determine and assign priority to the critical systems that had to be restored in order to continue business functions:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To begin, Progent followed Anti-virus incident mitigation best practices by stopping the spread and disinfecting systems. Progent then started the work of rebuilding Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without AD, and the businesses� accounting and MRP software leveraged Microsoft SQL, which needs Active Directory for security authorization to the database.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and hard drive recovery on critical servers. All Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Off-Line Data Files) on various PCs and laptops in order to recover email data. A recent offline backup of the client's financials/MRP systems made it possible to recover these required applications back on-line. Although a lot of work remained to recover completely from the Ryuk event, core systems were returned to operations quickly:


"For the most part, the manufacturing operation never missed a beat and we produced all customer shipments."

During the next month critical milestones in the recovery project were achieved through close collaboration between Progent consultants and the client:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server exceeding four million historical messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were completely recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user workstations were back into operation.

"Much of what was accomplished those first few days is mostly a haze for me, but our team will not forget the countless hours each of the team accomplished to give us our company back. I�ve entrusted Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This time was the most impressive ever."

Conclusion
A probable enterprise-killing disaster was averted through the efforts of top-tier professionals, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack detailed here would have been identified and disabled with current security systems and ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thank you for making it so I could get some sleep after we got over the initial fire. All of you did an amazing job, and if any of your team is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Dayton a portfolio of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate modern AI technology to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the entire malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also assist you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup technology companies to create ProSight Data Protection Services, a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and enable non-disruptive backup and rapid recovery of important files, applications, images, and virtual machines. ProSight DPS helps you protect against data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, user error, malicious insiders, or software bugs. Managed backup services in the ProSight DPS product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to provide centralized management and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, track, optimize and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating tedious network management activities, WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating appliances that need important software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network operating efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT staff and your Progent engineering consultant so any potential problems can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior machine learning tools to guard endpoints and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-based AV tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Help Desk services enable your information technology team to offload Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal support resources and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless extension of your core support team. End user interaction with the Help Desk, delivery of technical assistance, problem escalation, trouble ticket generation and updates, performance metrics, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your internal support resources, by Progent, or by a combination. Find out more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting updates to your dynamic information network. In addition to maximizing the protection and reliability of your computer environment, Progent's patch management services free up time for your IT staff to focus on line-of-business initiatives and tasks that derive maximum business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. Using 2FA, when you sign into a protected online account and enter your password you are asked to confirm your identity on a unit that only you have and that is accessed using a separate network channel. A broad selection of devices can be used as this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can designate multiple verification devices. For details about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services for access security.
For Dayton 24/7 Crypto-Ransomware Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.