Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that poses an existential danger for organizations vulnerable to an assault. Different iterations of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still inflict harm. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more unnamed malware, not only do encryption of online information but also infect most configured system protection. Information replicated to the cloud can also be corrupted. In a poorly designed system, this can make any restore operations impossible and effectively knocks the network back to zero.

Getting back online services and data after a crypto-ransomware intrusion becomes a race against time as the victim struggles to contain and remove the crypto-ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware needs time to move laterally, assaults are frequently sprung on weekends and holidays, when penetrations typically take more time to discover. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.

Progent makes available a range of help services for securing businesses from crypto-ransomware attacks. Among these are user education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security appliances with AI capabilities from SentinelOne to identify and disable day-zero cyber attacks quickly. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery professionals with the skills and perseverance to reconstruct a compromised network as soon as possible.

Progent's Ransomware Restoration Help
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to decrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the essential parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide range of skill sets, professional project management, and the capability to work 24x7 until the recovery project is completed.

For two decades, Progent has provided expert IT services for businesses in Edmonton and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of experience provides Progent the skills to knowledgably ascertain critical systems and integrate the surviving pieces of your IT environment after a ransomware penetration and assemble them into an operational network.

Progent's recovery team of experts deploys state-of-the-art project management tools to orchestrate the complex restoration process. Progent understands the urgency of acting quickly and in concert with a customer's management and Information Technology staff to prioritize tasks and to put essential applications back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Recovery
A customer hired Progent after their company was taken over by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, suspected of using technology leaked from the United States National Security Agency. Ryuk seeks specific companies with little room for disruption and is one of the most lucrative iterations of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 employees. The Ryuk attack had frozen all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I can't thank you enough in regards to the expertise Progent gave us throughout the most fearful period of (our) company's existence. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent group gave us. The fact that you could get our e-mail system and important applications back in less than one week was earth shattering. Every single person I worked with or communicated with at Progent was absolutely committed on getting our company operational and was working at all hours on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the key applications that had to be restored in order to continue departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent adhered to ransomware penetration response industry best practices by isolating and clearing infected systems. Progent then began the work of rebuilding Microsoft Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the customer's accounting and MRP applications leveraged SQL Server, which depends on Active Directory services for security authorization to the database.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then accomplished setup and storage recovery on needed applications. All Exchange schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Offline Folder Files) on staff workstations to recover email information. A not too old off-line backup of the customer's accounting/ERP systems made it possible to restore these required programs back on-line. Although a large amount of work still had to be done to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer shipments."

Over the following few weeks key milestones in the restoration process were made in tight collaboration between Progent engineers and the client:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was installed.
  • Nearly all of the user PCs were being used by staff.

"Much of what was accomplished in the initial days is mostly a haze for me, but my team will not forget the care each of you put in to give us our business back. I've been working together with Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This time was the most impressive ever."

Conclusion
A possible business catastrophe was avoided by dedicated experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in retrospect the ransomware virus attack described here could have been identified and disabled with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thank you for making it so I could get some sleep after we made it past the initial push. All of you did an fabulous job, and if any of your guys is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Edmonton a portfolio of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include modern machine learning capability to uncover new variants of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to manage the entire threat progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering through leading-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services (DPS), a family of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable transparent backup and rapid recovery of important files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or software bugs. Managed services in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to provide centralized control and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of analysis for inbound email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that need critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your network running efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT management personnel and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hardware solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based machine learning technology to defend endpoints as well as servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud resources and offers a unified platform to automate the complete threat progression including filtering, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Help Center services permit your information technology team to offload Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your internal network support group and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your corporate network support group. End user access to the Help Desk, delivery of support, issue escalation, ticket creation and tracking, efficiency metrics, and management of the service database are cohesive whether incidents are resolved by your core support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. Besides maximizing the protection and functionality of your IT network, Progent's patch management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that derive the highest business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With 2FA, whenever you log into a protected online account and give your password you are requested to confirm who you are via a unit that only you possess and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be used for this added means of authentication including a smartphone or watch, a hardware token, a landline phone, etc. You can register multiple validation devices. To find out more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication services.
For 24/7/365 Edmonton Crypto-Ransomware Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.