Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an attack. Different versions of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause destruction. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, along with daily as yet unnamed viruses, not only encrypt on-line critical data but also infect most available system backup. Data replicated to the cloud can also be encrypted. In a poorly designed data protection solution, it can render automated restoration impossible and effectively sets the network back to square one.

Getting back programs and information after a ransomware intrusion becomes a sprint against time as the targeted business tries its best to stop the spread and clear the virus and to restore mission-critical operations. Due to the fact that crypto-ransomware takes time to spread, penetrations are usually sprung at night, when successful attacks are likely to take more time to recognize. This compounds the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.

Progent makes available a variety of services for securing businesses from ransomware events. Among these are team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence technology to rapidly detect and suppress day-zero cyber threats. Progent in addition provides the services of expert crypto-ransomware recovery engineers with the skills and commitment to restore a breached environment as soon as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the codes to unencrypt any of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the key elements of your Information Technology environment. Absent access to essential data backups, this calls for a broad range of skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is finished.

For two decades, Progent has provided certified expert IT services for businesses in Sioux Falls and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience affords Progent the capability to efficiently ascertain important systems and organize the surviving components of your IT system following a ransomware penetration and assemble them into an operational system.

Progent's ransomware group deploys powerful project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of acting quickly and in unison with a customerís management and IT staff to prioritize tasks and to put key services back online as soon as humanly possible.

Customer Story: A Successful Ransomware Attack Response
A customer engaged Progent after their company was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, suspected of adopting techniques exposed from the United States National Security Agency. Ryuk targets specific companies with limited ability to sustain disruption and is one of the most profitable instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with about 500 staff members. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (more than $200,000) and wishfully thinking for good luck, but in the end brought in Progent.


"I canít thank you enough in regards to the support Progent provided us throughout the most stressful period of (our) businesses existence. We would have paid the cybercriminals if not for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail and critical applications back quicker than 1 week was something I thought impossible. Each consultant I spoke to or communicated with at Progent was absolutely committed on getting us back online and was working at all hours on our behalf."

Progent worked together with the client to quickly assess and assign priority to the essential systems that had to be restored to make it possible to continue company operations:

  • Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent adhered to Anti-virus event response best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the process of recovering Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the customerís accounting and MRP software leveraged Microsoft SQL, which requires Windows AD for authentication to the information.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery on the most important applications. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find intact OST files (Outlook Email Offline Data Files) on team PCs and laptops in order to recover mail messages. A not too old offline backup of the businesses financials/ERP software made it possible to return these required applications back online for users. Although major work still had to be done to recover totally from the Ryuk event, core systems were restored quickly:


"For the most part, the production line operation survived unscathed and we produced all customer sales."

Throughout the next few weeks important milestones in the recovery process were accomplished through close cooperation between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Server containing more than 4 million historical emails was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were completely operational.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Ninety percent of the user workstations were functioning as before the incident.

"A lot of what occurred in the initial days is mostly a blur for me, but I will not soon forget the urgency all of the team accomplished to give us our company back. I have trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This situation was a stunning achievement."

Conclusion
A probable business-killing catastrophe was avoided with dedicated professionals, a wide spectrum of technical expertise, and tight collaboration. Although in hindsight the crypto-ransomware incident described here could have been identified and disabled with advanced cyber security technology and ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for data backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for letting me get some sleep after we made it past the initial push. All of you did an impressive effort, and if any of your team is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Sioux Falls a range of remote monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services utilize modern machine learning technology to detect new strains of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to manage the complete malware attack progression including protection, identification, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through cutting-edge tools packaged within one agent accessible from a unified console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates your backup activities and enables rapid restoration of critical files, applications and virtual machines that have become unavailable or corrupted as a result of hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical information. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to provide web-based control and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, optimize and troubleshoot their networking appliances like switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating complex management activities, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding devices that require critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by checking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so any potential issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Read more about ProSight IT Asset Management service.
For 24-7 Sioux Falls Ransomware Remediation Experts, call Progent at 800-993-9400 or go to Contact Progent.