Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses poorly prepared for an attack. Versions of crypto-ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for years and still inflict damage. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with more as yet unnamed malware, not only do encryption of online information but also infect all configured system backup. Files replicated to the cloud can also be ransomed. In a vulnerable system, it can render any restoration useless and effectively knocks the entire system back to zero.

Getting back online programs and data following a ransomware event becomes a race against time as the targeted business struggles to stop lateral movement and remove the ransomware and to restore enterprise-critical activity. Because ransomware takes time to move laterally, assaults are frequently launched at night, when penetrations may take longer to detect. This compounds the difficulty of quickly marshalling and orchestrating an experienced response team.

Progent has an assortment of services for protecting organizations from ransomware events. Among these are team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security appliances with AI technology to quickly identify and quarantine zero-day threats. Progent also can provide the services of seasoned crypto-ransomware recovery engineers with the skills and perseverance to re-deploy a compromised environment as urgently as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the codes to decrypt any or all of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the essential elements of your Information Technology environment. Absent access to complete information backups, this calls for a broad range of skill sets, top notch project management, and the ability to work non-stop until the job is done.

For decades, Progent has made available certified expert IT services for businesses in Naples and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience gives Progent the skills to knowledgably identify important systems and re-organize the remaining parts of your IT system after a crypto-ransomware event and configure them into an operational network.

Progent's recovery team utilizes powerful project management systems to coordinate the complex restoration process. Progent appreciates the urgency of acting swiftly and together with a customerís management and IT team members to assign priority to tasks and to get key services back on line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A business escalated to Progent after their network was brought down by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored hackers, suspected of using techniques leaked from the United States National Security Agency. Ryuk goes after specific companies with little room for operational disruption and is one of the most lucrative examples of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the beginning of the attack and were encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.


"I cannot tell you enough in regards to the expertise Progent gave us throughout the most critical period of (our) businesses existence. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent team provided us. That you could get our e-mail system and essential servers back on-line sooner than five days was earth shattering. Every single staff member I worked with or communicated with at Progent was amazingly focused on getting us back online and was working non-stop to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the key systems that needed to be recovered in order to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent adhered to Anti-virus incident response best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the work of recovering Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL Server, which depends on Active Directory for authentication to the database.

In less than two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of needed systems. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Offline Data Files) on team desktop computers to recover email information. A recent offline backup of the client's manufacturing software made it possible to return these required programs back on-line. Although significant work still had to be done to recover fully from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the assembly line operation survived unscathed and we did not miss any customer deliverables."

Over the following couple of weeks key milestones in the recovery process were made through tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the user desktops and notebooks were operational.

"A lot of what happened those first few days is nearly entirely a fog for me, but we will not soon forget the commitment each of the team put in to give us our business back. I have been working with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A likely business-ending disaster was dodged by results-oriented professionals, a broad array of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here should have been shut down with up-to-date cyber security technology solutions and NIST Cybersecurity Framework best practices, staff education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for letting me get rested after we made it past the initial push. All of you did an impressive job, and if anyone is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Naples a range of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include modern AI capability to uncover zero-day strains of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including blocking, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate action. Progent can also help you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and enables fast restoration of critical files, apps and virtual machines that have become lost or damaged as a result of component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, when needed, can help you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide web-based management and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, track, enhance and debug their networking hardware such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting activities, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating appliances that need important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so that any looming problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.
For Naples 24-7 Crypto Remediation Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.