Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause damage. Recent strains of crypto-ransomware such as Ryuk and Hermes, along with more as yet unnamed newcomers, not only encrypt on-line data files but also infiltrate most available system protection. Data synched to the cloud can also be corrupted. In a poorly designed data protection solution, it can render automated recovery hopeless and effectively sets the network back to zero.

Getting back online services and information following a crypto-ransomware event becomes a race against the clock as the targeted organization fights to stop lateral movement and eradicate the crypto-ransomware and to resume business-critical operations. Because ransomware takes time to replicate, penetrations are often sprung during weekends and nights, when attacks may take longer to uncover. This multiplies the difficulty of rapidly mobilizing and organizing a capable response team.

Progent makes available a variety of solutions for securing organizations from crypto-ransomware penetrations. These include team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with AI technology to rapidly discover and suppress day-zero cyber attacks. Progent in addition can provide the assistance of expert ransomware recovery engineers with the talent and commitment to rebuild a compromised system as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will return the needed keys to decipher any of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the essential elements of your IT environment. Absent the availability of essential system backups, this calls for a wide range of skills, professional project management, and the capability to work 24x7 until the task is done.

For twenty years, Progent has provided expert IT services for companies in Ottawa and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience provides Progent the ability to efficiently understand necessary systems and re-organize the remaining components of your network environment after a ransomware penetration and assemble them into a functioning system.

Progent's recovery team of experts deploys state-of-the-art project management applications to orchestrate the complicated recovery process. Progent knows the urgency of acting rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to get critical applications back on line as soon as possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A small business escalated to Progent after their company was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, suspected of using techniques leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with little tolerance for disruption and is among the most lucrative versions of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's backups had been on-line at the start of the intrusion and were damaged. The client was evaluating paying the ransom (more than two hundred thousand dollars) and praying for good luck, but ultimately called Progent.


"I cannot speak enough in regards to the care Progent gave us throughout the most critical period of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent group afforded us. That you could get our messaging and critical applications back on-line sooner than seven days was beyond my wildest dreams. Each consultant I got help from or messaged at Progent was amazingly focused on getting us operational and was working non-stop on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the most important elements that had to be addressed to make it possible to restart business functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To begin, Progent followed Anti-virus event mitigation industry best practices by stopping the spread and removing active viruses. Progent then initiated the steps of restoring Microsoft AD, the core of enterprise networks built upon Microsoft technology. Exchange email will not operate without Active Directory, and the businessesí MRP system used SQL Server, which needs Windows AD for authentication to the database.

In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then performed rebuilding and hard drive recovery of the most important servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Off-Line Data Files) on various desktop computers in order to recover email information. A not too old offline backup of the client's accounting/MRP systems made it possible to recover these essential programs back servicing users. Although significant work needed to be completed to recover completely from the Ryuk virus, critical services were recovered rapidly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."

Throughout the following few weeks key milestones in the restoration project were achieved through tight collaboration between Progent consultants and the client:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Server containing more than four million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control modules were 100 percent restored.
  • A new Palo Alto 850 firewall was deployed.
  • Most of the desktops and laptops were back into operation.

"A lot of what went on those first few days is mostly a blur for me, but our team will not forget the countless hours all of your team put in to help get our business back. Iíve been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A probable business-ending disaster was avoided with top-tier experts, a wide spectrum of knowledge, and close collaboration. Although in retrospect the ransomware penetration described here should have been identified and blocked with up-to-date cyber security systems and recognized best practices, user education, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), Iím grateful for letting me get rested after we got past the initial fire. Everyone did an impressive effort, and if any of your team is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Ottawa a range of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services utilize modern artificial intelligence technology to uncover new strains of crypto-ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to address the complete malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Top features include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with legal and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates and monitors your backup activities and enables fast restoration of vital files, apps and VMs that have become unavailable or damaged due to component failures, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can provide advanced expertise to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide centralized management and world-class protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of analysis for incoming email. For outbound email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your network running efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.
For Ottawa 24-Hour Ransomware Remediation Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.