Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for businesses vulnerable to an assault. Different iterations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict harm. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as daily as yet unnamed viruses, not only do encryption of on-line files but also infiltrate most accessible system backup. Data synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, this can render any recovery impossible and effectively sets the network back to zero.

Getting back applications and data following a ransomware intrusion becomes a race against time as the targeted business fights to stop the spread and cleanup the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware requires time to move laterally, assaults are often launched during nights and weekends, when penetrations typically take more time to discover. This multiplies the difficulty of quickly mobilizing and organizing an experienced response team.

Progent provides a range of support services for protecting organizations from ransomware attacks. These include team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with artificial intelligence capabilities to quickly detect and extinguish day-zero cyber attacks. Progent in addition offers the services of seasoned crypto-ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to decipher any of your files. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the key components of your Information Technology environment. Without the availability of full system backups, this requires a wide range of skills, well-coordinated team management, and the willingness to work non-stop until the job is complete.

For decades, Progent has offered expert IT services for companies in Tacoma and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise provides Progent the ability to quickly ascertain critical systems and re-organize the surviving parts of your computer network environment following a crypto-ransomware penetration and configure them into an operational network.

Progent's security group deploys top notch project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting rapidly and together with a customerís management and IT resources to prioritize tasks and to put the most important services back on line as fast as possible.

Case Study: A Successful Ransomware Penetration Restoration
A business contacted Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly using techniques leaked from Americaís National Security Agency. Ryuk targets specific organizations with limited ability to sustain disruption and is among the most profitable iterations of ransomware viruses. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with about 500 employees. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (more than $200K) and hoping for good luck, but ultimately utilized Progent.


"I cannot thank you enough about the support Progent gave us during the most stressful time of (our) companyís survival. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our messaging and important servers back on-line in less than seven days was amazing. Every single staff member I got help from or communicated with at Progent was urgently focused on getting our system up and was working all day and night on our behalf."

Progent worked hand in hand the client to rapidly identify and prioritize the most important systems that needed to be recovered in order to restart business operations:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes event response industry best practices by isolating and removing active viruses. Progent then started the work of recovering Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the client's MRP system used SQL Server, which needs Windows AD for security authorization to the databases.

In less than two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery on critical servers. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops to recover email messages. A not too old off-line backup of the customerís financials/ERP systems made it possible to restore these required programs back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, critical services were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we produced all customer orders."

Throughout the next month critical milestones in the recovery process were completed through tight collaboration between Progent team members and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Server exceeding four million archived messages was brought online and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user workstations were functioning as before the incident.

"Much of what transpired in the early hours is nearly entirely a blur for me, but I will not soon forget the countless hours each of your team put in to help get our company back. I have trusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A potential business extinction catastrophe was dodged due to hard-working professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware attack detailed here should have been identified and prevented with current cyber security solutions and security best practices, user training, and well designed security procedures for data protection and proper patching controls, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of professionals has proven experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get some sleep after we got past the most critical parts. All of you did an fabulous effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Tacoma a variety of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to manage the entire malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also help you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of vital files, applications and VMs that have become unavailable or damaged due to component failures, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to provide web-based management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of inspection for inbound email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their connectivity appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when issues are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding devices that require important updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by checking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that all potential problems can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Tacoma Ransomware Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.