Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes vulnerable to an assault. Versions of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as more unnamed newcomers, not only encrypt online information but also infiltrate any accessible system backups. Information synched to cloud environments can also be rendered useless. In a poorly designed system, it can make any restore operations useless and basically sets the datacenter back to zero.

Recovering applications and data following a ransomware event becomes a sprint against time as the targeted organization tries its best to contain the damage and remove the virus and to resume enterprise-critical activity. Since ransomware needs time to spread, penetrations are frequently launched at night, when successful attacks typically take longer to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.

Progent makes available a range of support services for protecting enterprises from ransomware attacks. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security solutions with AI technology to automatically identify and disable zero-day cyber threats. Progent in addition can provide the services of expert crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Restoration Help
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the keys to decipher any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the critical parts of your IT environment. Absent the availability of essential information backups, this requires a wide complement of skills, professional team management, and the willingness to work 24x7 until the recovery project is completed.

For decades, Progent has provided expert Information Technology services for companies in Edmonton and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the ability to rapidly understand critical systems and re-organize the remaining components of your computer network system after a crypto-ransomware penetration and assemble them into a functioning system.

Progent's ransomware team of experts has state-of-the-art project management tools to coordinate the complex restoration process. Progent appreciates the importance of acting quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put the most important systems back on-line as fast as possible.

Case Study: A Successful Crypto-Ransomware Virus Restoration
A client hired Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, suspected of using approaches exposed from Americaís National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most profitable iterations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has about 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately utilized Progent.


"I canít thank you enough about the support Progent gave us throughout the most critical period of (our) companyís survival. We most likely would have paid the cybercriminals if not for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and production servers back quicker than one week was amazing. Every single person I worked with or messaged at Progent was amazingly focused on getting us back on-line and was working non-stop to bail us out."

Progent worked with the customer to quickly get our arms around and assign priority to the most important systems that had to be restored to make it possible to restart departmental operations:

  • Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus event response industry best practices by halting the spread and performing virus removal steps. Progent then initiated the task of recovering Microsoft AD, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not function without AD, and the client's accounting and MRP applications utilized Microsoft SQL Server, which depends on Active Directory for access to the data.

In less than two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST data files (Outlook Off-Line Data Files) on staff desktop computers to recover email messages. A not too old offline backup of the client's manufacturing systems made it possible to restore these vital applications back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk damage, critical systems were returned to operations rapidly:


"For the most part, the production line operation was never shut down and we delivered all customer sales."

Over the next month key milestones in the restoration project were completed in close cooperation between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server containing more than four million archived emails was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were fully functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Ninety percent of the user PCs were functioning as before the incident.

"Much of what occurred those first few days is nearly entirely a haze for me, but my management will not forget the countless hours each of your team put in to give us our business back. Iíve trusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable enterprise-killing catastrophe was avoided due to dedicated experts, a wide spectrum of knowledge, and tight collaboration. Although in hindsight the ransomware virus attack described here could have been identified and prevented with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for information backup and applying software patches, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were contributing), thanks very much for making it so I could get some sleep after we made it past the first week. Everyone did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Edmonton a variety of remote monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services incorporate modern AI technology to uncover new variants of crypto-ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to manage the complete malware attack progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your organization's unique needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service. ProSight DPS services automate and track your backup processes and enable non-disruptive backup and rapid restoration of vital files/folders, applications, system images, plus VMs. ProSight DPS lets you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, malicious insiders, or application bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to deliver centralized management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a further level of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, track, enhance and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating tedious network management processes, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT staff and your assigned Progent consultant so all potential problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save as much as 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to guard endpoints as well as physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including blocking, detection, containment, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Help Center services enable your IT group to outsource Help Desk services to Progent or split responsibilities for support services transparently between your internal support resources and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth extension of your in-house support group. End user interaction with the Service Desk, delivery of support, issue escalation, ticket creation and updates, efficiency metrics, and maintenance of the service database are cohesive whether incidents are taken care of by your corporate IT support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, applying, and tracking updates to your dynamic information system. In addition to optimizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business initiatives and tasks that derive maximum business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a secured application and give your password you are requested to verify your identity via a unit that only you possess and that is accessed using a separate network channel. A broad range of out-of-band devices can be utilized for this added form of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may register multiple verification devices. For more information about Duo identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24x7 Edmonton Crypto-Ransomware Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.