Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of crypto-ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, along with more as yet unnamed viruses, not only encrypt online critical data but also infect all accessible system protection mechanisms. Files replicated to cloud environments can also be ransomed. In a vulnerable data protection solution, this can make automatic recovery hopeless and effectively knocks the entire system back to square one.

Getting back online services and information after a ransomware outage becomes a race against the clock as the victim tries its best to stop the spread and eradicate the ransomware and to resume mission-critical activity. Since ransomware needs time to move laterally, attacks are frequently launched at night, when successful attacks are likely to take longer to detect. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable response team.

Progent provides an assortment of support services for securing businesses from crypto-ransomware attacks. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with machine learning technology to automatically discover and disable new cyber threats. Progent in addition provides the assistance of veteran crypto-ransomware recovery consultants with the skills and commitment to reconstruct a breached system as rapidly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decipher all your information. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Without access to complete information backups, this requires a wide complement of skills, top notch team management, and the ability to work 24x7 until the recovery project is finished.

For decades, Progent has provided professional IT services for businesses in Calgary and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to quickly determine important systems and re-organize the surviving components of your network system following a ransomware attack and rebuild them into a functioning network.

Progent's recovery team of experts has best of breed project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and Information Technology team members to prioritize tasks and to get critical services back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Restoration
A client sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, possibly using strategies leaked from the United States NSA organization. Ryuk attacks specific organizations with limited ability to sustain disruption and is one of the most lucrative incarnations of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with around 500 workers. The Ryuk event had shut down all essential operations and manufacturing processes. Most of the client's data protection had been online at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.


"I canít thank you enough about the care Progent gave us throughout the most critical period of (our) companyís life. We would have paid the cyber criminals if not for the confidence the Progent group gave us. The fact that you were able to get our messaging and key servers back into operation quicker than five days was beyond my wildest dreams. Every single staff member I talked with or texted at Progent was hell bent on getting us operational and was working at all hours to bail us out."

Progent worked hand in hand the client to rapidly determine and assign priority to the essential elements that needed to be restored in order to continue business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent adhered to ransomware penetration response industry best practices by halting the spread and removing active viruses. Progent then began the steps of bringing back online Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not function without Windows AD, and the client's financials and MRP software utilized Microsoft SQL, which needs Windows AD for authentication to the data.

In less than 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated rebuilding and storage recovery on mission critical applications. All Exchange ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Email Offline Data Files) on user desktop computers in order to recover email data. A recent off-line backup of the businesses accounting software made them able to recover these essential services back available to users. Although significant work was left to recover totally from the Ryuk attack, essential services were restored quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer sales."

Over the following few weeks important milestones in the recovery project were made in tight collaboration between Progent team members and the customer:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory modules were completely recovered.
  • A new Palo Alto 850 firewall was installed.
  • 90% of the desktop computers were functioning as before the incident.

"A huge amount of what went on during the initial response is nearly entirely a fog for me, but we will not forget the dedication each of your team put in to help get our business back. I have been working together with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A likely business-ending disaster was evaded with dedicated professionals, a broad range of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus attack detailed here would have been disabled with modern cyber security solutions and ISO/IEC 27001 best practices, team training, and well designed security procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for making it so I could get rested after we made it past the most critical parts. All of you did an amazing effort, and if any of your team is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Calgary a variety of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence capability to detect new strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to automate the complete malware attack lifecycle including filtering, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that allows you prove compliance with legal and industry data protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent's consultants can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables fast recovery of vital files, applications and virtual machines that have become unavailable or damaged due to hardware breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can deliver world-class support to set up ProSight DPS to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide centralized control and world-class security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of inspection for incoming email. For outgoing email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their connectivity hardware like switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that need important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that any looming problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Read more about ProSight IT Asset Management service.
For Calgary 24-Hour Crypto-Ransomware Cleanup Support Services, contact Progent at 800-993-9400 or go to Contact Progent.