Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an existential threat for organizations poorly prepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus additional as yet unnamed malware, not only do encryption of on-line data but also infect most available system backup. Files synched to cloud environments can also be encrypted. In a vulnerable system, it can render any restoration hopeless and effectively knocks the datacenter back to zero.

Restoring applications and information after a ransomware attack becomes a sprint against the clock as the targeted organization fights to contain and remove the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware takes time to replicate, assaults are frequently sprung on weekends and holidays, when successful attacks in many cases take more time to recognize. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.

Progent makes available a range of help services for protecting businesses from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with machine learning technology from SentinelOne to discover and quarantine new cyber threats rapidly. Progent also provides the services of veteran crypto-ransomware recovery consultants with the skills and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the keys to unencrypt any of your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the key components of your Information Technology environment. Absent the availability of complete data backups, this calls for a broad complement of skills, well-coordinated team management, and the capability to work continuously until the recovery project is complete.

For decades, Progent has provided professional IT services for companies in Edmonton and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience gives Progent the skills to knowledgably identify important systems and organize the surviving components of your network environment after a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's security group utilizes best of breed project management systems to orchestrate the complicated restoration process. Progent understands the importance of working quickly and in unison with a customer�s management and Information Technology team members to prioritize tasks and to put essential applications back online as fast as possible.

Client Case Study: A Successful Ransomware Virus Restoration
A customer escalated to Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state criminal gangs, possibly using strategies leaked from America�s National Security Agency. Ryuk goes after specific companies with little or no tolerance for disruption and is among the most profitable iterations of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has around 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were damaged. The client was evaluating paying the ransom (exceeding $200K) and praying for the best, but ultimately utilized Progent.


"I can�t speak enough in regards to the expertise Progent gave us throughout the most fearful period of (our) businesses existence. We most likely would have paid the cybercriminals except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and important applications back into operation in less than 1 week was beyond my wildest dreams. Each consultant I worked with or communicated with at Progent was amazingly focused on getting our system up and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly identify and prioritize the key systems that had to be addressed to make it possible to continue company operations:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting/MRP
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then started the work of recovering Microsoft Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's financials and MRP system utilized Microsoft SQL, which requires Active Directory services for access to the information.

Within 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery on key servers. All Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Offline Folder Files) on team desktop computers in order to recover mail messages. A not too old off-line backup of the client's financials/MRP software made it possible to restore these essential applications back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, core services were recovered quickly:


"For the most part, the production line operation was never shut down and we delivered all customer sales."

Over the next few weeks critical milestones in the restoration project were completed in close cooperation between Progent team members and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were completely restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user workstations were fully operational.

"A lot of what happened those first few days is nearly entirely a fog for me, but my management will not soon forget the care each and every one of your team accomplished to give us our company back. I have been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This event was the most impressive ever."

Conclusion
A potential business-ending catastrophe was averted by dedicated professionals, a wide array of subject matter expertise, and tight teamwork. Although in retrospect the ransomware virus penetration detailed here would have been identified and prevented with up-to-date security systems and recognized best practices, user education, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I�m grateful for allowing me to get some sleep after we made it through the first week. All of you did an incredible effort, and if anyone is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Edmonton a variety of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services include next-generation AI technology to uncover new variants of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily escape traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the complete malware attack lifecycle including protection, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup technology providers to produce ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable non-disruptive backup and rapid recovery of critical files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, human error, malicious employees, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of analysis for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, enhance and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and manages the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that need important software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management staff and your Progent engineering consultant so that all looming problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to guard endpoint devices as well as servers and VMs against new malware assaults like ransomware and email phishing, which easily escape legacy signature-matching AV tools. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Desk: Help Desk Managed Services
    Progent's Call Center managed services allow your information technology staff to offload Help Desk services to Progent or split responsibilities for Help Desk services seamlessly between your in-house network support staff and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent extension of your corporate network support resources. Client access to the Help Desk, provision of support, issue escalation, ticket generation and tracking, performance metrics, and maintenance of the support database are consistent whether issues are resolved by your internal support staff, by Progent's team, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of any size a flexible and affordable solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and functionality of your computer environment, Progent's patch management services permit your in-house IT team to focus on line-of-business projects and activities that derive maximum business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification on Apple iOS, Android, and other personal devices. Using 2FA, when you log into a protected application and enter your password you are requested to verify your identity on a unit that only you have and that uses a different network channel. A broad selection of out-of-band devices can be utilized as this added form of authentication such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register several verification devices. For more information about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.
For Edmonton 24-Hour Ransomware Remediation Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.