Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that poses an existential threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still cause destruction. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent as yet unnamed malware, not only encrypt online critical data but also infiltrate many available system protection. Files synched to the cloud can also be rendered useless. In a poorly architected system, it can render any recovery impossible and basically sets the entire system back to zero.

Getting back programs and information following a ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to contain and cleanup the ransomware and to resume business-critical activity. Because ransomware takes time to replicate, penetrations are frequently launched on weekends and holidays, when successful attacks are likely to take longer to discover. This compounds the difficulty of quickly mobilizing and orchestrating a knowledgeable response team.

Progent makes available a range of solutions for protecting organizations from crypto-ransomware events. Among these are staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with machine learning capabilities from SentinelOne to identify and disable day-zero threats automatically. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Ransomware Restoration Help
Following a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will return the needed keys to unencrypt all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to setup from scratch the critical elements of your IT environment. Absent access to complete information backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work continuously until the recovery project is complete.

For two decades, Progent has made available professional Information Technology services for companies in Edmonton and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise affords Progent the skills to knowledgably ascertain important systems and integrate the surviving parts of your Information Technology system following a ransomware penetration and rebuild them into a functioning system.

Progent's security group uses state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of acting swiftly and together with a client's management and IT team members to assign priority to tasks and to get critical systems back on-line as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Restoration
A business contacted Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state criminal gangs, possibly using strategies exposed from the United States NSA organization. Ryuk targets specific companies with little ability to sustain disruption and is one of the most lucrative iterations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with about 500 employees. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's backups had been online at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200,000) and wishfully thinking for the best, but in the end called Progent.


"I can't say enough in regards to the support Progent gave us during the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. That you were able to get our messaging and production applications back online in less than five days was incredible. Every single expert I talked with or messaged at Progent was absolutely committed on getting our system up and was working 24 by 7 on our behalf."

Progent worked with the customer to quickly assess and prioritize the mission critical applications that had to be addressed to make it possible to resume business operations:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus incident mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the steps of rebuilding Microsoft AD, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which needs Active Directory services for access to the data.

Within 48 hours, Progent was able to restore Active Directory services to its pre-penetration state. Progent then completed reinstallations and hard drive recovery on critical servers. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find intact OST files (Outlook Off-Line Data Files) on various desktop computers in order to recover mail information. A recent offline backup of the customer's financials/MRP systems made them able to recover these vital programs back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk event, the most important systems were restored rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."

Throughout the following couple of weeks critical milestones in the restoration project were made through tight cooperation between Progent consultants and the client:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Server containing more than four million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were completely restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what went on in the initial days is mostly a haze for me, but I will not soon forget the countless hours each and every one of you accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable enterprise-killing disaster was dodged through the efforts of results-oriented experts, a broad range of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware virus penetration described here could have been identified and prevented with modern security technology solutions and best practices, user and IT administrator training, and well thought out security procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get rested after we got through the most critical parts. Everyone did an amazing job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Edmonton a portfolio of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services incorporate next-generation machine learning technology to detect new strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to automate the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services, a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS products automate and track your backup processes and allow transparent backup and fast recovery of important files/folders, apps, system images, plus VMs. ProSight DPS lets you avoid data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to deliver web-based management and comprehensive protection for all your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of inspection for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their connectivity appliances such as routers and switches, firewalls, and access points plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming network management activities, WAN Watch can knock hours off common chores like network mapping, expanding your network, finding devices that need important updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so all looming issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to guard endpoints and physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to manage the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows VSS and automatic system-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Call Center Managed Services
    Progent's Help Center managed services permit your IT group to offload Support Desk services to Progent or split activity for Service Desk support seamlessly between your internal support team and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth extension of your core support group. User access to the Help Desk, delivery of support services, problem escalation, ticket generation and updates, performance measurement, and maintenance of the service database are cohesive whether issues are resolved by your internal support organization, by Progent, or by a combination. Read more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of all sizes a flexible and affordable alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the protection and functionality of your IT network, Progent's patch management services allow your IT team to focus on more strategic projects and tasks that derive the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a protected online account and give your password you are asked to confirm your identity on a device that only you have and that is accessed using a separate network channel. A broad selection of devices can be used for this second means of authentication including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. For details about ProSight Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time management reporting plug-ins designed to integrate with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Edmonton Crypto Repair Help, call Progent at 800-462-8800 or go to Contact Progent.