Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for businesses unprepared for an attack. Multiple generations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Newer versions of ransomware like Ryuk and Hermes, plus more unnamed newcomers, not only encrypt online information but also infect many available system backups. Files synched to the cloud can also be encrypted. In a poorly designed data protection solution, this can render any recovery impossible and effectively knocks the datacenter back to square one.

Recovering programs and data following a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain and clear the ransomware and to resume business-critical activity. Because ransomware needs time to replicate, assaults are usually sprung on weekends, when successful penetrations typically take more time to recognize. This compounds the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.

Progent provides a variety of services for protecting organizations from crypto-ransomware events. These include staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with AI technology to quickly discover and disable new cyber threats. Progent in addition can provide the assistance of expert ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decrypt all your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the essential parts of your Information Technology environment. Without access to essential information backups, this calls for a wide range of skills, professional team management, and the willingness to work non-stop until the recovery project is complete.

For decades, Progent has provided certified expert Information Technology services for businesses in Minneapolis and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience provides Progent the ability to rapidly understand necessary systems and integrate the remaining pieces of your IT environment following a ransomware penetration and rebuild them into a functioning system.

Progent's security group deploys powerful project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in unison with a customerís management and IT staff to assign priority to tasks and to get essential systems back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Attack Recovery
A client sought out Progent after their network was attacked by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored criminal gangs, possibly adopting strategies exposed from the U.S. National Security Agency. Ryuk targets specific businesses with limited ability to sustain disruption and is among the most lucrative instances of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.


"I cannot tell you enough about the help Progent provided us during the most critical period of (our) companyís survival. We had little choice but to pay the cybercriminals except for the confidence the Progent experts afforded us. That you could get our messaging and key applications back into operation faster than seven days was earth shattering. Each expert I interacted with or texted at Progent was absolutely committed on getting our company operational and was working 24 by 7 on our behalf."

Progent worked hand in hand the client to quickly assess and prioritize the key services that needed to be restored to make it possible to continue departmental operations:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then began the task of restoring Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Windows AD, and the businessesí financials and MRP software utilized Microsoft SQL Server, which requires Active Directory services for authentication to the database.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of key applications. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Offline Folder Files) on staff workstations and laptops in order to recover mail data. A recent offline backup of the businesses financials/ERP systems made it possible to restore these essential applications back available to users. Although a lot of work needed to be completed to recover completely from the Ryuk event, core systems were recovered rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer deliverables."

Over the following month important milestones in the restoration project were made through tight collaboration between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server exceeding four million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • 90% of the user PCs were fully operational.

"Much of what occurred those first few days is nearly entirely a fog for me, but my team will not forget the care each and every one of the team accomplished to give us our business back. I have utilized Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A potential company-ending catastrophe was dodged through the efforts of top-tier experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in hindsight the crypto-ransomware virus attack detailed here would have been identified and blocked with current security technology and best practices, team education, and well designed security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incursion, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for letting me get some sleep after we got through the first week. Everyone did an impressive effort, and if anyone is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Minneapolis a portfolio of remote monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services include next-generation AI technology to uncover new variants of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to automate the complete threat progression including protection, identification, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital data, apps and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FIRPA, and PCI and, when necessary, can assist you to restore your critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to deliver web-based management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of inspection for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, reconfigure and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating devices that require important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can save as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Minneapolis 24x7 Crypto-Ransomware Remediation Help, call Progent at 800-993-9400 or go to Contact Progent.