Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an existential danger for organizations unprepared for an attack. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and still inflict havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of on-line data but also infiltrate many available system protection. Information synchronized to cloud environments can also be ransomed. In a poorly architected environment, this can render any restoration hopeless and basically sets the entire system back to square one.

Recovering programs and data following a ransomware intrusion becomes a race against the clock as the victim struggles to contain and clear the ransomware and to restore mission-critical operations. Since ransomware needs time to spread, penetrations are usually sprung at night, when successful attacks may take longer to recognize. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable response team.

Progent offers an assortment of solutions for securing organizations from ransomware events. Among these are staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security solutions with AI capabilities to rapidly discover and extinguish zero-day threats. Progent also offers the assistance of experienced ransomware recovery engineers with the skills and commitment to restore a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
Following a ransomware event, paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the codes to decipher any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the key components of your IT environment. Without the availability of essential system backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work 24x7 until the recovery project is over.

For twenty years, Progent has provided expert IT services for companies in Ontario and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise provides Progent the ability to rapidly ascertain important systems and consolidate the remaining pieces of your IT environment following a ransomware attack and assemble them into an operational network.

Progent's ransomware team of experts deploys state-of-the-art project management systems to coordinate the complicated recovery process. Progent appreciates the urgency of acting quickly and in unison with a client's management and Information Technology staff to prioritize tasks and to put critical services back online as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Virus Restoration
A small business engaged Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, possibly using techniques exposed from Americaís NSA organization. Ryuk attacks specific organizations with limited ability to sustain disruption and is one of the most lucrative incarnations of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's information backups had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and praying for the best, but ultimately engaged Progent.


"I canít say enough in regards to the care Progent provided us throughout the most fearful time of (our) businesses life. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent team provided us. That you could get our e-mail system and key servers back into operation faster than five days was incredible. Each consultant I worked with or messaged at Progent was urgently focused on getting us working again and was working 24 by 7 on our behalf."

Progent worked together with the client to rapidly understand and assign priority to the most important services that needed to be addressed to make it possible to continue company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by isolating and cleaning systems of viruses. Progent then initiated the steps of rebuilding Microsoft AD, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the customerís accounting and MRP applications leveraged Microsoft SQL, which depends on Active Directory services for access to the data.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery on needed servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Offline Folder Files) on user workstations in order to recover mail information. A not too old off-line backup of the client's accounting/MRP systems made it possible to restore these required services back servicing users. Although significant work still had to be done to recover completely from the Ryuk event, core services were returned to operations rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we made all customer sales."

Throughout the following few weeks important milestones in the restoration project were made through tight collaboration between Progent engineers and the client:

  • In-house web applications were restored with no loss of information.
  • The MailStore Server containing more than 4 million historical messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the user desktops and notebooks were back into operation.

"Much of what was accomplished that first week is mostly a blur for me, but we will not soon forget the commitment each of the team put in to give us our business back. Iíve utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A likely business extinction catastrophe was averted through the efforts of results-oriented professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus incident described here could have been identified and stopped with current cyber security solutions and best practices, team training, and well designed incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), Iím grateful for allowing me to get rested after we made it over the initial fire. All of you did an fabulous job, and if any of your team is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Ontario a variety of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to manage the entire malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent action. Progent can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates your backup activities and allows rapid restoration of critical files, applications and virtual machines that have become unavailable or damaged as a result of hardware failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can assist you to recover your critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to deliver centralized management and comprehensive security for all your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps most threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further layer of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, track, enhance and troubleshoot their connectivity hardware like routers, firewalls, and access points as well as servers, client computers and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding appliances that require critical updates, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your network running efficiently by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so any potential problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can save as much as half of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For Ontario 24x7x365 CryptoLocker Remediation Services, call Progent at 800-993-9400 or go to Contact Progent.