Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that presents an extinction-level threat for businesses unprepared for an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for many years and still inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, as well as more as yet unnamed malware, not only do encryption of on-line files but also infect many accessible system protection. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can make automated restore operations impossible and effectively sets the entire system back to square one.

Getting back on-line services and information after a crypto-ransomware event becomes a race against time as the targeted business tries its best to stop the spread and remove the ransomware and to restore business-critical operations. Since ransomware takes time to spread, penetrations are often sprung at night, when successful attacks in many cases take more time to recognize. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.

Progent has a variety of help services for securing enterprises from ransomware penetrations. These include team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security gateways with AI capabilities to quickly detect and quarantine zero-day cyber threats. Progent in addition can provide the services of experienced crypto-ransomware recovery engineers with the track record and perseverance to re-deploy a breached network as soon as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the keys to decipher any or all of your data. Kaspersky estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the mission-critical parts of your Information Technology environment. Without access to full system backups, this requires a wide range of IT skills, professional project management, and the ability to work continuously until the task is completed.

For twenty years, Progent has offered professional Information Technology services for companies in Southfield and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably identify important systems and organize the surviving parts of your network system following a ransomware penetration and rebuild them into an operational system.

Progent's ransomware group uses state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and together with a customerís management and IT staff to assign priority to tasks and to put critical services back on line as fast as possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A small business hired Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored hackers, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk seeks specific companies with little or no room for operational disruption and is one of the most lucrative instances of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago and has around 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately brought in Progent.


"I canít tell you enough in regards to the help Progent gave us throughout the most critical time of (our) companyís existence. We had little choice but to pay the criminal gangs except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and production servers back faster than five days was incredible. Every single expert I worked with or texted at Progent was amazingly focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and prioritize the essential applications that needed to be addressed in order to restart departmental functions:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting and Manufacturing Software
To start, Progent followed ransomware incident response industry best practices by halting lateral movement and cleaning up infected systems. Progent then started the work of restoring Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not function without AD, and the client's MRP system used Microsoft SQL Server, which depends on Active Directory for authentication to the database.

Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then assisted with rebuilding and storage recovery of the most important servers. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Offline Data Files) on team PCs in order to recover email data. A not too old off-line backup of the client's accounting/ERP systems made it possible to restore these essential programs back servicing users. Although a lot of work was left to recover fully from the Ryuk event, essential services were restored quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer orders."

Over the following few weeks key milestones in the recovery process were achieved in close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were completely operational.
  • A new Palo Alto 850 firewall was installed.
  • Ninety percent of the user desktops and notebooks were fully operational.

"Much of what happened during the initial response is mostly a haze for me, but our team will not soon forget the urgency each of your team put in to give us our business back. I have been working with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was the most impressive ever."

Conclusion
A possible business extinction disaster was evaded through the efforts of dedicated experts, a broad range of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware virus attack detailed here could have been blocked with up-to-date cyber security technology and security best practices, staff training, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we got over the most critical parts. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Southfield a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern AI capability to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to address the entire malware attack lifecycle including filtering, detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you prove compliance with government and industry information security standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist you to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of vital files, applications and VMs that have become unavailable or corrupted due to hardware failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class support to set up ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when necessary, can help you to restore your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security companies to deliver centralized management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outgoing email, the local security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and debug their networking hardware like routers and switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are always current, captures and displays the configuration of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating complex management and troubleshooting activities, WAN Watch can knock hours off common chores like making network diagrams, expanding your network, finding appliances that require important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so all potential issues can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Southfield Crypto Cleanup Consultants, contact Progent at 800-993-9400 or go to Contact Progent.